diff options
Diffstat (limited to 'security')
46 files changed, 1192 insertions, 799 deletions
diff --git a/security/capability.c b/security/capability.c index 4875142b858..8168e3ecd5b 100644 --- a/security/capability.c +++ b/security/capability.c @@ -12,11 +12,6 @@ #include <linux/security.h> -static int cap_acct(struct file *file) -{ - return 0; -} - static int cap_sysctl(ctl_table *table, int op) { return 0; @@ -80,42 +75,16 @@ static int cap_sb_mount(char *dev_name, struct path *path, char *type, return 0; } -static int cap_sb_check_sb(struct vfsmount *mnt, struct path *path) -{ - return 0; -} - static int cap_sb_umount(struct vfsmount *mnt, int flags) { return 0; } -static void cap_sb_umount_close(struct vfsmount *mnt) -{ -} - -static void cap_sb_umount_busy(struct vfsmount *mnt) -{ -} - -static void cap_sb_post_remount(struct vfsmount *mnt, unsigned long flags, - void *data) -{ -} - -static void cap_sb_post_addmount(struct vfsmount *mnt, struct path *path) -{ -} - static int cap_sb_pivotroot(struct path *old_path, struct path *new_path) { return 0; } -static void cap_sb_post_pivotroot(struct path *old_path, struct path *new_path) -{ -} - static int cap_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts) { @@ -221,10 +190,6 @@ static int cap_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) return 0; } -static void cap_inode_delete(struct inode *ino) -{ -} - static void cap_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { @@ -403,10 +368,6 @@ static int cap_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) return 0; } -static void cap_cred_commit(struct cred *new, const struct cred *old) -{ -} - static void cap_cred_transfer(struct cred *new, const struct cred *old) { } @@ -426,16 +387,6 @@ static int cap_kernel_module_request(char *kmod_name) return 0; } -static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) -{ - return 0; -} - -static int cap_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) -{ - return 0; -} - static int cap_task_setpgid(struct task_struct *p, pid_t pgid) { return 0; @@ -456,11 +407,6 @@ static void cap_task_getsecid(struct task_struct *p, u32 *secid) *secid = 0; } -static int cap_task_setgroups(struct group_info *group_info) -{ - return 0; -} - static int cap_task_getioprio(struct task_struct *p) { return 0; @@ -875,13 +821,6 @@ static int cap_key_getsecurity(struct key *key, char **_buffer) return 0; } -static int cap_key_session_to_parent(const struct cred *cred, - const struct cred *parent_cred, - struct key *key) -{ - return 0; -} - #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT @@ -915,13 +854,12 @@ static void cap_audit_rule_free(void *lsmrule) } \ } while (0) -void security_fixup_ops(struct security_operations *ops) +void __init security_fixup_ops(struct security_operations *ops) { set_to_cap_if_null(ops, ptrace_access_check); set_to_cap_if_null(ops, ptrace_traceme); set_to_cap_if_null(ops, capget); set_to_cap_if_null(ops, capset); - set_to_cap_if_null(ops, acct); set_to_cap_if_null(ops, capable); set_to_cap_if_null(ops, quotactl); set_to_cap_if_null(ops, quota_on); @@ -941,14 +879,8 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, sb_show_options); set_to_cap_if_null(ops, sb_statfs); set_to_cap_if_null(ops, sb_mount); - set_to_cap_if_null(ops, sb_check_sb); set_to_cap_if_null(ops, sb_umount); - set_to_cap_if_null(ops, sb_umount_close); - set_to_cap_if_null(ops, sb_umount_busy); - set_to_cap_if_null(ops, sb_post_remount); - set_to_cap_if_null(ops, sb_post_addmount); set_to_cap_if_null(ops, sb_pivotroot); - set_to_cap_if_null(ops, sb_post_pivotroot); set_to_cap_if_null(ops, sb_set_mnt_opts); set_to_cap_if_null(ops, sb_clone_mnt_opts); set_to_cap_if_null(ops, sb_parse_opts_str); @@ -968,7 +900,6 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, inode_permission); set_to_cap_if_null(ops, inode_setattr); set_to_cap_if_null(ops, inode_getattr); - set_to_cap_if_null(ops, inode_delete); set_to_cap_if_null(ops, inode_setxattr); set_to_cap_if_null(ops, inode_post_setxattr); set_to_cap_if_null(ops, inode_getxattr); @@ -1009,19 +940,15 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, cred_alloc_blank); set_to_cap_if_null(ops, cred_free); set_to_cap_if_null(ops, cred_prepare); - set_to_cap_if_null(ops, cred_commit); set_to_cap_if_null(ops, cred_transfer); set_to_cap_if_null(ops, kernel_act_as); set_to_cap_if_null(ops, kernel_create_files_as); set_to_cap_if_null(ops, kernel_module_request); - set_to_cap_if_null(ops, task_setuid); set_to_cap_if_null(ops, task_fix_setuid); - set_to_cap_if_null(ops, task_setgid); set_to_cap_if_null(ops, task_setpgid); set_to_cap_if_null(ops, task_getpgid); set_to_cap_if_null(ops, task_getsid); set_to_cap_if_null(ops, task_getsecid); - set_to_cap_if_null(ops, task_setgroups); set_to_cap_if_null(ops, task_setnice); set_to_cap_if_null(ops, task_setioprio); set_to_cap_if_null(ops, task_getioprio); @@ -1113,7 +1040,6 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, key_free); set_to_cap_if_null(ops, key_permission); set_to_cap_if_null(ops, key_getsecurity); - set_to_cap_if_null(ops, key_session_to_parent); #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT set_to_cap_if_null(ops, audit_rule_init); diff --git a/security/commoncap.c b/security/commoncap.c index 61669730da9..4e015996dd4 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -570,7 +570,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, } if (!strncmp(name, XATTR_SECURITY_PREFIX, - sizeof(XATTR_SECURITY_PREFIX) - 1) && + sizeof(XATTR_SECURITY_PREFIX) - 1) && !capable(CAP_SYS_ADMIN)) return -EPERM; return 0; @@ -596,7 +596,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name) } if (!strncmp(name, XATTR_SECURITY_PREFIX, - sizeof(XATTR_SECURITY_PREFIX) - 1) && + sizeof(XATTR_SECURITY_PREFIX) - 1) && !capable(CAP_SYS_ADMIN)) return -EPERM; return 0; @@ -931,7 +931,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages) * @addr: address attempting to be mapped * @addr_only: unused * - * If the process is attempting to map memory below mmap_min_addr they need + * If the process is attempting to map memory below dac_mmap_min_addr they need * CAP_SYS_RAWIO. The other parameters to this function are unused by the * capability security module. Returns 0 if this mapping should be allowed * -EPERM if not. diff --git a/security/device_cgroup.c b/security/device_cgroup.c index f77c6042399..8d9c48f1377 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -470,7 +470,7 @@ struct cgroup_subsys devices_subsys = { .name = "devices", .can_attach = devcgroup_can_attach, .create = devcgroup_create, - .destroy = devcgroup_destroy, + .destroy = devcgroup_destroy, .populate = devcgroup_populate, .subsys_id = devices_subsys_id, }; diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 3d7846de806..b6ecfd4d8d7 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -2,15 +2,14 @@ # config IMA bool "Integrity Measurement Architecture(IMA)" - depends on ACPI depends on SECURITY select SECURITYFS select CRYPTO select CRYPTO_HMAC select CRYPTO_MD5 select CRYPTO_SHA1 - select TCG_TPM - select TCG_TIS + select TCG_TPM if !S390 + select TCG_TIS if TCG_TPM help The Trusted Computing Group(TCG) runtime Integrity Measurement Architecture(IMA) maintains a list of hash diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 47fb65d1fcb..16d100d3fc3 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -135,7 +135,7 @@ enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK }; int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask); void ima_init_policy(void); void ima_update_policy(void); -int ima_parse_add_rule(char *); +ssize_t ima_parse_add_rule(char *); void ima_delete_rules(void); /* LSM based policy rules require audit */ diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c index 5af76340470..c5c5a72c30b 100644 --- a/security/integrity/ima/ima_audit.c +++ b/security/integrity/ima/ima_audit.c @@ -41,7 +41,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode, return; ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno); - audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u ses=%u", + audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u", current->pid, current_cred()->uid, audit_get_loginuid(current), audit_get_sessionid(current)); diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 952e51373f5..9b3ade7468b 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -27,7 +27,7 @@ static int init_desc(struct hash_desc *desc) desc->tfm = crypto_alloc_hash(ima_hash, 0, CRYPTO_ALG_ASYNC); if (IS_ERR(desc->tfm)) { - pr_info("failed to load %s transform: %ld\n", + pr_info("IMA: failed to load %s transform: %ld\n", ima_hash, PTR_ERR(desc->tfm)); rc = PTR_ERR(desc->tfm); return rc; @@ -112,7 +112,7 @@ static void __init ima_pcrread(int idx, u8 *pcr) return; if (tpm_pcr_read(TPM_ANY_NUM, idx, pcr) != 0) - pr_err("Error Communicating to TPM chip\n"); + pr_err("IMA: Error Communicating to TPM chip\n"); } /* diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 07cb9c338cc..8fe736aabe7 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -244,32 +244,34 @@ static const struct file_operations ima_ascii_measurements_ops = { static ssize_t ima_write_policy(struct file *file, const char __user *buf, size_t datalen, loff_t *ppos) { - char *data; - int rc; + char *data = NULL; + ssize_t result; if (datalen >= PAGE_SIZE) - return -ENOMEM; - if (*ppos != 0) { - /* No partial writes. */ - return -EINVAL; - } + datalen = PAGE_SIZE - 1; + + /* No partial writes. */ + result = -EINVAL; + if (*ppos != 0) + goto out; + + result = -ENOMEM; data = kmalloc(datalen + 1, GFP_KERNEL); if (!data) - return -ENOMEM; + goto out; - if (copy_from_user(data, buf, datalen)) { - kfree(data); - return -EFAULT; - } *(data + datalen) = '\0'; - rc = ima_parse_add_rule(data); - if (rc < 0) { - datalen = -EINVAL; - valid_policy = 0; - } + result = -EFAULT; + if (copy_from_user(data, buf, datalen)) + goto out; + + result = ima_parse_add_rule(data); +out: + if (result < 0) + valid_policy = 0; kfree(data); - return datalen; + return result; } static struct dentry *ima_dir; diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c index 2c744d48801..7625b85c227 100644 --- a/security/integrity/ima/ima_iint.c +++ b/security/integrity/ima/ima_iint.c @@ -80,21 +80,21 @@ void iint_free(struct kref *kref) iint->version = 0; iint->flags = 0UL; if (iint->readcount != 0) { - printk(KERN_INFO "%s: readcount: %ld\n", __FUNCTION__, + printk(KERN_INFO "%s: readcount: %ld\n", __func__, iint->readcount); iint->readcount = 0; } if (iint->writecount != 0) { - printk(KERN_INFO "%s: writecount: %ld\n", __FUNCTION__, + printk(KERN_INFO "%s: writecount: %ld\n", __func__, iint->writecount); iint->writecount = 0; } if (iint->opencount != 0) { - printk(KERN_INFO "%s: opencount: %ld\n", __FUNCTION__, + printk(KERN_INFO "%s: opencount: %ld\n", __func__, iint->opencount); iint->opencount = 0; } - kref_set(&iint->refcount, 1); + kref_init(&iint->refcount); kmem_cache_free(iint_cache, iint); } @@ -133,7 +133,7 @@ static void init_once(void *foo) iint->readcount = 0; iint->writecount = 0; iint->opencount = 0; - kref_set(&iint->refcount, 1); + kref_init(&iint->refcount); } static int __init ima_iintcache_init(void) diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index b1bcb702a27..17f1f060306 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -83,7 +83,7 @@ int __init ima_init(void) ima_used_chip = 1; if (!ima_used_chip) - pr_info("No TPM chip found, activating TPM-bypass!\n"); + pr_info("IMA: No TPM chip found, activating TPM-bypass!\n"); ima_add_boot_aggregate(); /* boot aggregate must be first entry */ ima_init_policy(); diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b2c89d9de2a..f93641382e9 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -195,7 +195,7 @@ static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode, (iint->writecount < 0)) && !ima_limit_imbalance(file)) { printk(KERN_INFO "%s: open/free imbalance (r:%ld w:%ld o:%ld)\n", - __FUNCTION__, iint->readcount, iint->writecount, + __func__, iint->readcount, iint->writecount, iint->opencount); dump_stack(); } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8643a93c596..aef8c0a923a 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -246,6 +246,9 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, { int result; + if (entry->lsm[lsm_rule].rule) + return -EINVAL; + entry->lsm[lsm_rule].type = audit_type; result = security_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, args, @@ -253,6 +256,13 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, return result; } +static void ima_log_string(struct audit_buffer *ab, char *key, char *value) +{ + audit_log_format(ab, "%s=", key); + audit_log_untrustedstring(ab, value); + audit_log_format(ab, " "); +} + static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) { struct audit_buffer *ab; @@ -261,28 +271,41 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE); - entry->action = -1; - while ((p = strsep(&rule, " \n")) != NULL) { + entry->uid = -1; + entry->action = UNKNOWN; + while ((p = strsep(&rule, " \t")) != NULL) { substring_t args[MAX_OPT_ARGS]; int token; unsigned long lnum; if (result < 0) break; - if (!*p) + if ((*p == '\0') || (*p == ' ') || (*p == '\t')) continue; token = match_token(p, policy_tokens, args); switch (token) { case Opt_measure: - audit_log_format(ab, "%s ", "measure"); + ima_log_string(ab, "action", "measure"); + + if (entry->action != UNKNOWN) + result = -EINVAL; + entry->action = MEASURE; break; case Opt_dont_measure: - audit_log_format(ab, "%s ", "dont_measure"); + ima_log_string(ab, "action", "dont_measure"); + + if (entry->action != UNKNOWN) + result = -EINVAL; + entry->action = DONT_MEASURE; break; case Opt_func: - audit_log_format(ab, "func=%s ", args[0].from); + ima_log_string(ab, "func", args[0].from); + + if (entry->func) + result = -EINVAL; + if (strcmp(args[0].from, "FILE_CHECK") == 0) entry->func = FILE_CHECK; /* PATH_CHECK is for backwards compat */ @@ -298,7 +321,11 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) entry->flags |= IMA_FUNC; break; case Opt_mask: - audit_log_format(ab, "mask=%s ", args[0].from); + ima_log_string(ab, "mask", args[0].from); + + if (entry->mask) + result = -EINVAL; + if ((strcmp(args[0].from, "MAY_EXEC")) == 0) entry->mask = MAY_EXEC; else if (strcmp(args[0].from, "MAY_WRITE") == 0) @@ -313,14 +340,26 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) entry->flags |= IMA_MASK; break; case Opt_fsmagic: - audit_log_format(ab, "fsmagic=%s ", args[0].from); + ima_log_string(ab, "fsmagic", args[0].from); + + if (entry->fsmagic) { + result = -EINVAL; + break; + } + result = strict_strtoul(args[0].from, 16, &entry->fsmagic); if (!result) entry->flags |= IMA_FSMAGIC; break; case Opt_uid: - audit_log_format(ab, "uid=%s ", args[0].from); + ima_log_string(ab, "uid", args[0].from); + + if (entry->uid != -1) { + result = -EINVAL; + break; + } + result = strict_strtoul(args[0].from, 10, &lnum); if (!result) { entry->uid = (uid_t) lnum; @@ -331,50 +370,51 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) } break; case Opt_obj_user: - audit_log_format(ab, "obj_user=%s ", args[0].from); + ima_log_string(ab, "obj_user", args[0].from); result = ima_lsm_rule_init(entry, args[0].from, LSM_OBJ_USER, AUDIT_OBJ_USER); break; case Opt_obj_role: - audit_log_format(ab, "obj_role=%s ", args[0].from); + ima_log_string(ab, "obj_role", args[0].from); result = ima_lsm_rule_init(entry, args[0].from, LSM_OBJ_ROLE, AUDIT_OBJ_ROLE); break; case Opt_obj_type: - audit_log_format(ab, "obj_type=%s ", args[0].from); + ima_log_string(ab, "obj_type", args[0].from); result = ima_lsm_rule_init(entry, args[0].from, LSM_OBJ_TYPE, AUDIT_OBJ_TYPE); break; case Opt_subj_user: - audit_log_format(ab, "subj_user=%s ", args[0].from); + ima_log_string(ab, "subj_user", args[0].from); result = ima_lsm_rule_init(entry, args[0].from, LSM_SUBJ_USER, AUDIT_SUBJ_USER); break; case Opt_subj_role: - audit_log_format(ab, "subj_role=%s ", args[0].from); + ima_log_string(ab, "subj_role", args[0].from); result = ima_lsm_rule_init(entry, args[0].from, LSM_SUBJ_ROLE, AUDIT_SUBJ_ROLE); break; case Opt_subj_type: - audit_log_format(ab, "subj_type=%s ", args[0].from); + ima_log_string(ab, "subj_type", args[0].from); result = ima_lsm_rule_init(entry, args[0].from, LSM_SUBJ_TYPE, AUDIT_SUBJ_TYPE); break; case Opt_err: - audit_log_format(ab, "UNKNOWN=%s ", p); + ima_log_string(ab, "UNKNOWN", p); + result = -EINVAL; break; } } - if (entry->action == UNKNOWN) + if (!result && (entry->action == UNKNOWN)) result = -EINVAL; - audit_log_format(ab, "res=%d", !result ? 0 : 1); + audit_log_format(ab, "res=%d", !!result); audit_log_end(ab); return result; } @@ -384,13 +424,14 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) * @rule - ima measurement policy rule * * Uses a mutex to protect the policy list from multiple concurrent writers. - * Returns 0 on success, an error code on failure. + * Returns the length of the rule parsed, an error code on failure */ -int ima_parse_add_rule(char *rule) +ssize_t ima_parse_add_rule(char *rule) { const char *op = "update_policy"; + char *p; struct ima_measure_rule_entry *entry; - int result = 0; + ssize_t result, len; int audit_info = 0; /* Prevent installed policy from changing */ @@ -410,18 +451,28 @@ int ima_parse_add_rule(char *rule) INIT_LIST_HEAD(&entry->list); - result = ima_parse_rule(rule, entry); - if (!result) { - mutex_lock(&ima_measure_mutex); - list_add_tail(&entry->list, &measure_policy_rules); - mutex_unlock(&ima_measure_mutex); - } else { + p = strsep(&rule, "\n"); + len = strlen(p) + 1; + + if (*p == '#') { + kfree(entry); + return len; + } + + result = ima_parse_rule(p, entry); + if (result) { kfree(entry); integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, op, "invalid policy", result, audit_info); + return result; } - return result; + + mutex_lock(&ima_measure_mutex); + list_add_tail(&entry->list, &measure_policy_rules); + mutex_unlock(&ima_measure_mutex); + + return len; } /* ima_delete_rules called to cleanup invalid policy */ diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index 46ba62b1adf..8e28f04a5e2 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -71,7 +71,7 @@ static int ima_add_digest_entry(struct ima_template_entry *entry) qe = kmalloc(sizeof(*qe), GFP_KERNEL); if (qe == NULL) { - pr_err("OUT OF MEMORY ERROR creating queue entry.\n"); + pr_err("IMA: OUT OF MEMORY ERROR creating queue entry.\n"); return -ENOMEM; } qe->entry = entry; @@ -94,7 +94,7 @@ static int ima_pcr_extend(const u8 *hash) result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash); if (result != 0) - pr_err("Error Communicating to TPM chip\n"); + pr_err("IMA: Error Communicating to TPM chip\n"); return result; } diff --git a/security/keys/gc.c b/security/keys/gc.c index 19902319d09..a46e825cbf0 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -77,10 +77,10 @@ static bool key_gc_keyring(struct key *keyring, time_t limit) goto dont_gc; /* scan the keyring looking for dead keys */ - klist = rcu_dereference_check(keyring->payload.subscriptions, - lockdep_is_held(&key_serial_lock)); + rcu_read_lock(); + klist = rcu_dereference(keyring->payload.subscriptions); if (!klist) - goto dont_gc; + goto unlock_dont_gc; for (loop = klist->nkeys - 1; loop >= 0; loop--) { key = klist->keys[loop]; @@ -89,11 +89,14 @@ static bool key_gc_keyring(struct key *keyring, time_t limit) goto do_gc; } +unlock_dont_gc: + rcu_read_unlock(); dont_gc: kleave(" = false"); return false; do_gc: + rcu_read_unlock(); key_gc_cursor = keyring->serial; key_get(keyring); spin_unlock(&key_serial_lock); diff --git a/security/keys/internal.h b/security/keys/internal.h index 24ba0307b7a..5d4402a1161 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -87,7 +87,16 @@ extern wait_queue_head_t request_key_conswq; extern struct key_type *key_type_lookup(const char *type); extern void key_type_put(struct key_type *ktype); -extern int __key_link(struct key *keyring, struct key *key); +extern int __key_link_begin(struct key *keyring, + const struct key_type *type, + const char *description, + struct keyring_list **_prealloc); +extern int __key_link_check_live_key(struct key *keyring, struct key *key); +extern void __key_link(struct key *keyring, struct key *key, + struct keyring_list **_prealloc); +extern void __key_link_end(struct key *keyring, + struct key_type *type, + struct keyring_list *prealloc); extern key_ref_t __keyring_search_one(key_ref_t keyring_ref, const struct key_type *type, diff --git a/security/keys/key.c b/security/keys/key.c index e50d264c9ad..c1eac8084ad 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -355,7 +355,7 @@ EXPORT_SYMBOL(key_alloc); */ int key_payload_reserve(struct key *key, size_t datalen) { - int delta = (int) datalen - key->datalen; + int delta = (int)datalen - key->datalen; int ret = 0; key_check(key); @@ -398,7 +398,8 @@ static int __key_instantiate_and_link(struct key *key, const void *data, size_t datalen, struct key *keyring, - struct key *authkey) + struct key *authkey, + struct keyring_list **_prealloc) { int ret, awaken; @@ -425,7 +426,7 @@ static int __key_instantiate_and_link(struct key *key, /* and link it into the destination keyring */ if (keyring) - ret = __key_link(keyring, key); + __key_link(keyring, key, _prealloc); /* disable the authorisation key */ if (authkey) @@ -453,15 +454,21 @@ int key_instantiate_and_link(struct key *key, struct key *keyring, struct key *authkey) { + struct keyring_list *prealloc; int ret; - if (keyring) - down_write(&keyring->sem); + if (keyring) { + ret = __key_link_begin(keyring, key->type, key->description, + &prealloc); + if (ret < 0) + return ret; + } - ret = __key_instantiate_and_link(key, data, datalen, keyring, authkey); + ret = __key_instantiate_and_link(key, data, datalen, keyring, authkey, + &prealloc); if (keyring) - up_write(&keyring->sem); + __key_link_end(keyring, key->type, prealloc); return ret; @@ -478,8 +485,9 @@ int key_negate_and_link(struct key *key, struct key *keyring, struct key *authkey) { + struct keyring_list *prealloc; struct timespec now; - int ret, awaken; + int ret, awaken, link_ret = 0; key_check(key); key_check(keyring); @@ -488,7 +496,8 @@ int key_negate_and_link(struct key *key, ret = -EBUSY; if (keyring) - down_write(&keyring->sem); + link_ret = __key_link_begin(keyring, key->type, + key->description, &prealloc); mutex_lock(&key_construction_mutex); @@ -508,8 +517,8 @@ int key_negate_and_link(struct key *key, ret = 0; /* and link it into the destination keyring */ - if (keyring) - ret = __key_link(keyring, key); + if (keyring && link_ret == 0) + __key_link(keyring, key, &prealloc); /* disable the authorisation key */ if (authkey) @@ -519,13 +528,13 @@ int key_negate_and_link(struct key *key, mutex_unlock(&key_construction_mutex); if (keyring) - up_write(&keyring->sem); + __key_link_end(keyring, key->type, prealloc); /* wake up anyone waiting for a key to be constructed */ if (awaken) wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); - return ret; + return ret == 0 ? link_ret : ret; } /* end key_negate_and_link() */ @@ -749,6 +758,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, key_perm_t perm, unsigned long flags) { + struct keyring_list *prealloc; const struct cred *cred = current_cred(); struct key_type *ktype; struct key *keyring, *key = NULL; @@ -775,7 +785,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, if (keyring->type != &key_type_keyring) goto error_2; - down_write(&keyring->sem); + ret = __key_link_begin(keyring, ktype, description, &prealloc); + if (ret < 0) + goto error_2; /* if we're going to allocate a new key, we're going to have * to modify the keyring */ @@ -817,7 +829,8 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } /* instantiate it and link it into the target keyring */ - ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL); + ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL, + &prealloc); if (ret < 0) { key_put(key); key_ref = ERR_PTR(ret); @@ -827,7 +840,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); error_3: - up_write(&keyring->sem); + __key_link_end(keyring, ktype, prealloc); error_2: key_type_put(ktype); error: @@ -837,7 +850,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, /* we found a matching key, so we're going to try to update it * - we can drop the locks first as we have the key pinned */ - up_write(&keyring->sem); + __key_link_end(keyring, ktype, prealloc); key_type_put(ktype); key_ref = __key_update(key_ref, payload, plen); diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index e9c2e7c584d..8f4dce1987c 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -212,15 +212,15 @@ SYSCALL_DEFINE4(request_key, const char __user *, _type, ret = key->serial; key_put(key); - error5: +error5: key_type_put(ktype); - error4: +error4: key_ref_put(dest_ref); - error3: +error3: kfree(callout_info); - error2: +error2: kfree(description); - error: +error: return ret; } /* end sys_request_key() */ @@ -246,7 +246,7 @@ long keyctl_get_keyring_ID(key_serial_t id, int create) ret = key_ref_to_ptr(key_ref)->serial; key_ref_put(key_ref); - error: +error: return ret; } /* end keyctl_get_keyring_ID() */ @@ -275,7 +275,7 @@ long keyctl_join_session_keyring(const char __user *_name) ret = join_session_keyring(name); kfree(name); - error: +error: return ret; } /* end keyctl_join_session_keyring() */ @@ -322,9 +322,9 @@ long keyctl_update_key(key_serial_t id, ret = key_update(key_ref, payload, plen); key_ref_put(key_ref); - error2: +error2: kfree(payload); - error: +error: return ret; } /* end keyctl_update_key() */ @@ -356,7 +356,7 @@ long keyctl_revoke_key(key_serial_t id) ret = 0; key_ref_put(key_ref); - error: +error: return ret; } /* end keyctl_revoke_key() */ @@ -381,7 +381,7 @@ long keyctl_keyring_clear(key_serial_t ringid) ret = keyring_clear(key_ref_to_ptr(keyring_ref)); key_ref_put(keyring_ref); - error: +error: return ret; } /* end keyctl_keyring_clear() */ @@ -413,9 +413,9 @@ long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); key_ref_put(key_ref); - error2: +error2: key_ref_put(keyring_ref); - error: +error: return ret; } /* end keyctl_keyring_link() */ @@ -447,9 +447,9 @@ long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); key_ref_put(key_ref); - error2: +error2: key_ref_put(keyring_ref); - error: +error: return ret; } /* end keyctl_keyring_unlink() */ @@ -529,9 +529,9 @@ okay: } kfree(tmpbuf); - error2: +error2: key_ref_put(key_ref); - error: +error: return ret; } /* end keyctl_describe_key() */ @@ -616,17 +616,17 @@ long keyctl_keyring_search(key_serial_t ringid, ret = key_ref_to_ptr(key_ref)->serial; - error6: +error6: key_ref_put(key_ref); - error5: +error5: key_type_put(ktype); - error4: +error4: key_ref_put(dest_ref); - error3: +error3: key_ref_put(keyring_ref); - error2: +error2: kfree(description); - error: +error: return ret; } /* end keyctl_keyring_search() */ @@ -673,7 +673,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) } /* the key is probably readable - now try to read it */ - can_read_key: +can_read_key: ret = key_validate(key); if (ret == 0) { ret = -EOPNOTSUPP; @@ -686,9 +686,9 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) } } - error2: +error2: key_put(key); - error: +error: return ret; } /* end keyctl_read_key() */ @@ -1282,26 +1282,19 @@ long keyctl_session_to_parent(void) /* the parent must have the same effective ownership and mustn't be * SUID/SGID */ - if (pcred-> uid != mycred->euid || + if (pcred->uid != mycred->euid || pcred->euid != mycred->euid || pcred->suid != mycred->euid || - pcred-> gid != mycred->egid || + pcred->gid != mycred->egid || pcred->egid != mycred->egid || pcred->sgid != mycred->egid) goto not_permitted; /* the keyrings must have the same UID */ - if (pcred ->tgcred->session_keyring->uid != mycred->euid || + if (pcred->tgcred->session_keyring->uid != mycred->euid || mycred->tgcred->session_keyring->uid != mycred->euid) goto not_permitted; - /* the LSM must permit the replacement of the parent's keyring with the - * keyring from this process */ - ret = security_key_session_to_parent(mycred, pcred, - key_ref_to_ptr(keyring_r)); - if (ret < 0) - goto not_permitted; - /* if there's an already pending keyring replacement, then we replace * that */ oldcred = parent->replacement_session_keyring; diff --git a/security/keys/keyring.c b/security/keys/keyring.c index dd7cd0f8e13..ef03a82a013 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -17,9 +17,14 @@ #include <linux/seq_file.h> #include <linux/err.h> #include <keys/keyring-type.h> -#include <asm/uaccess.h> +#include <linux/uaccess.h> #include "internal.h" +#define rcu_dereference_locked_keyring(keyring) \ + (rcu_dereference_protected( \ + (keyring)->payload.subscriptions, \ + rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem))) + /* * when plumbing the depths of the key tree, this sets a hard limit set on how * deep we're willing to go @@ -39,7 +44,7 @@ static inline unsigned keyring_hash(const char *desc) unsigned bucket = 0; for (; *desc; desc++) - bucket += (unsigned char) *desc; + bucket += (unsigned char)*desc; return bucket & (KEYRING_NAME_HASH_SIZE - 1); } @@ -170,12 +175,10 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m) { struct keyring_list *klist; - if (keyring->description) { + if (keyring->description) seq_puts(m, keyring->description); - } - else { + else seq_puts(m, "[anon]"); - } rcu_read_lock(); klist = rcu_dereference(keyring->payload.subscriptions); @@ -201,8 +204,7 @@ static long keyring_read(const struct key *keyring, int loop, ret; ret = 0; - klist = keyring->payload.subscriptions; - + klist = rcu_dereference_locked_keyring(keyring); if (klist) { /* calculate how much data we could return */ qty = klist->nkeys * sizeof(key_serial_t); @@ -237,7 +239,7 @@ static long keyring_read(const struct key *keyring, ret = qty; } - error: +error: return ret; } /* end keyring_read() */ @@ -306,7 +308,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref, key_check(keyring); /* top keyring must have search permission to begin the search */ - err = key_task_permission(keyring_ref, cred, KEY_SEARCH); + err = key_task_permission(keyring_ref, cred, KEY_SEARCH); if (err < 0) { key_ref = ERR_PTR(err); goto error; @@ -508,7 +510,7 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref, rcu_read_unlock(); return ERR_PTR(-ENOKEY); - found: +found: atomic_inc(&key->usage); rcu_read_unlock(); return make_key_ref(key, possessed); @@ -526,9 +528,8 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check) struct key *keyring; int bucket; - keyring = ERR_PTR(-EINVAL); if (!name) - goto error; + return ERR_PTR(-EINVAL); bucket = keyring_hash(name); @@ -555,17 +556,18 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check) KEY_SEARCH) < 0) continue; - /* we've got a match */ - atomic_inc(&keyring->usage); - read_unlock(&keyring_name_lock); - goto error; + /* we've got a match but we might end up racing with + * key_cleanup() if the keyring is currently 'dead' + * (ie. it has a zero usage count) */ + if (!atomic_inc_not_zero(&keyring->usage)) + continue; + goto out; } } - read_unlock(&keyring_name_lock); keyring = ERR_PTR(-ENOKEY); - - error: +out: + read_unlock(&keyring_name_lock); return keyring; } /* end find_keyring_by_name() */ @@ -598,7 +600,7 @@ static int keyring_detect_cycle(struct key *A, struct key *B) sp = 0; /* start processing a new keyring */ - descend: +descend: if (test_bit(KEY_FLAG_REVOKED, &subtree->flags)) goto not_this_keyring; @@ -607,7 +609,7 @@ static int keyring_detect_cycle(struct key *A, struct key *B) goto not_this_keyring; kix = 0; - ascend: +ascend: /* iterate through the remaining keys in this keyring */ for (; kix < keylist->nkeys; kix++) { key = keylist->keys[kix]; @@ -633,7 +635,7 @@ static int keyring_detect_cycle(struct key *A, struct key *B) /* the keyring we're looking at was disqualified or didn't contain a * matching key */ - not_this_keyring: +not_this_keyring: if (sp > 0) { /* resume the checking of a keyring higher up in the tree */ sp--; @@ -644,34 +646,20 @@ static int keyring_detect_cycle(struct key *A, struct key *B) ret = 0; /* no cycles detected */ - error: +error: rcu_read_unlock(); return ret; - too_deep: +too_deep: ret = -ELOOP; goto error; - cycle_detected: +cycle_detected: ret = -EDEADLK; goto error; } /* end keyring_detect_cycle() */ -/*****************************************************************************/ -/* - * dispose of a keyring list after the RCU grace period - */ -static void keyring_link_rcu_disposal(struct rcu_head *rcu) -{ - struct keyring_list *klist = - container_of(rcu, struct keyring_list, rcu); - - kfree(klist); - -} /* end keyring_link_rcu_disposal() */ - -/*****************************************************************************/ /* * dispose of a keyring list after the RCU grace period, freeing the unlinked * key @@ -681,56 +669,51 @@ static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) struct keyring_list *klist = container_of(rcu, struct keyring_list, rcu); - key_put(klist->keys[klist->delkey]); + if (klist->delkey != USHORT_MAX) + key_put(klist->keys[klist->delkey]); kfree(klist); +} -} /* end keyring_unlink_rcu_disposal() */ - -/*****************************************************************************/ /* - * link a key into to a keyring - * - must be called with the keyring's semaphore write-locked - * - discard already extant link to matching key if there is one + * preallocate memory so that a key can be linked into to a keyring */ -int __key_link(struct key *keyring, struct key *key) +int __key_link_begin(struct key *keyring, const struct key_type *type, + const char *description, + struct keyring_list **_prealloc) + __acquires(&keyring->sem) { struct keyring_list *klist, *nklist; unsigned max; size_t size; int loop, ret; - ret = -EKEYREVOKED; - if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) - goto error; + kenter("%d,%s,%s,", key_serial(keyring), type->name, description); - ret = -ENOTDIR; if (keyring->type != &key_type_keyring) - goto error; + return -ENOTDIR; - /* serialise link/link calls to prevent parallel calls causing a - * cycle when applied to two keyring in opposite orders */ - down_write(&keyring_serialise_link_sem); + down_write(&keyring->sem); - /* check that we aren't going to create a cycle adding one keyring to - * another */ - if (key->type == &key_type_keyring) { - ret = keyring_detect_cycle(keyring, key); - if (ret < 0) - goto error2; - } + ret = -EKEYREVOKED; + if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) + goto error_krsem; - /* see if there's a matching key we can displace */ - klist = keyring->payload.subscriptions; + /* serialise link/link calls to prevent parallel calls causing a cycle + * when linking two keyring in opposite orders */ + if (type == &key_type_keyring) + down_write(&keyring_serialise_link_sem); - if (klist && klist->nkeys > 0) { - struct key_type *type = key->type; + klist = rcu_dereference_locked_keyring(keyring); + /* see if there's a matching key we can displace */ + if (klist && klist->nkeys > 0) { for (loop = klist->nkeys - 1; loop >= 0; loop--) { if (klist->keys[loop]->type == type && strcmp(klist->keys[loop]->description, - key->description) == 0 + description) == 0 ) { - /* found a match - replace with new key */ + /* found a match - we'll replace this one with + * the new key */ size = sizeof(struct key *) * klist->maxkeys; size += sizeof(*klist); BUG_ON(size > PAGE_SIZE); @@ -738,22 +721,10 @@ int __key_link(struct key *keyring, struct key *key) ret = -ENOMEM; nklist = kmemdup(klist, size, GFP_KERNEL); if (!nklist) - goto error2; - - /* replace matched key */ - atomic_inc(&key->usage); - nklist->keys[loop] = key; - - rcu_assign_pointer( - keyring->payload.subscriptions, - nklist); - - /* dispose of the old keyring list and the - * displaced key */ - klist->delkey = loop; - call_rcu(&klist->rcu, - keyring_unlink_rcu_disposal); + goto error_sem; + /* note replacement slot */ + klist->delkey = nklist->delkey = loop; goto done; } } @@ -763,90 +734,167 @@ int __key_link(struct key *keyring, struct key *key) ret = key_payload_reserve(keyring, keyring->datalen + KEYQUOTA_LINK_BYTES); if (ret < 0) - goto error2; - - klist = keyring->payload.subscriptions; + goto error_sem; if (klist && klist->nkeys < klist->maxkeys) { - /* there's sufficient slack space to add directly */ - atomic_inc(&key->usage); - - klist->keys[klist->nkeys] = key; - smp_wmb(); - klist->nkeys++; - smp_wmb(); - } - else { + /* there's sufficient slack space to append directly */ + nklist = NULL; + } else { /* grow the key list */ max = 4; if (klist) max += klist->maxkeys; ret = -ENFILE; - if (max > 65535) - goto error3; + if (max > USHORT_MAX - 1) + goto error_quota; size = sizeof(*klist) + sizeof(struct key *) * max; if (size > PAGE_SIZE) - goto error3; + goto error_quota; ret = -ENOMEM; nklist = kmalloc(size, GFP_KERNEL); if (!nklist) - goto error3; - nklist->maxkeys = max; - nklist->nkeys = 0; + goto error_quota; + nklist->maxkeys = max; if (klist) { - nklist->nkeys = klist->nkeys; - memcpy(nklist->keys, - klist->keys, + memcpy(nklist->keys, klist->keys, sizeof(struct key *) * klist->nkeys); + nklist->delkey = klist->nkeys; + nklist->nkeys = klist->nkeys + 1; + klist->delkey = USHORT_MAX; + } else { + nklist->nkeys = 1; + nklist->delkey = 0; } /* add the key into the new space */ - atomic_inc(&key->usage); - nklist->keys[nklist->nkeys++] = key; - - rcu_assign_pointer(keyring->payload.subscriptions, nklist); - - /* dispose of the old keyring list */ - if (klist) - call_rcu(&klist->rcu, keyring_link_rcu_disposal); + nklist->keys[nklist->delkey] = NULL; } done: - ret = 0; -error2: - up_write(&keyring_serialise_link_sem); -error: - return ret; + *_prealloc = nklist; + kleave(" = 0"); + return 0; -error3: +error_quota: /* undo the quota changes */ key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES); - goto error2; +error_sem: + if (type == &key_type_keyring) + up_write(&keyring_serialise_link_sem); +error_krsem: + up_write(&keyring->sem); + kleave(" = %d", ret); + return ret; +} -} /* end __key_link() */ +/* + * check already instantiated keys aren't going to be a problem + * - the caller must have called __key_link_begin() + * - don't need to call this for keys that were created since __key_link_begin() + * was called + */ +int __key_link_check_live_key(struct key *keyring, struct key *key) +{ + if (key->type == &key_type_keyring) + /* check that we aren't going to create a cycle by linking one + * keyring to another */ + return keyring_detect_cycle(keyring, key); + return 0; +} + +/* + * link a key into to a keyring + * - must be called with __key_link_begin() having being called + * - discard already extant link to matching key if there is one + */ +void __key_link(struct key *keyring, struct key *key, + struct keyring_list **_prealloc) +{ + struct keyring_list *klist, *nklist; + + nklist = *_prealloc; + *_prealloc = NULL; + + kenter("%d,%d,%p", keyring->serial, key->serial, nklist); + + klist = rcu_dereference_protected(keyring->payload.subscriptions, + rwsem_is_locked(&keyring->sem)); + + atomic_inc(&key->usage); + + /* there's a matching key we can displace or an empty slot in a newly + * allocated list we can fill */ + if (nklist) { + kdebug("replace %hu/%hu/%hu", + nklist->delkey, nklist->nkeys, nklist->maxkeys); + + nklist->keys[nklist->delkey] = key; + + rcu_assign_pointer(keyring->payload.subscriptions, nklist); + + /* dispose of the old keyring list and, if there was one, the + * displaced key */ + if (klist) { + kdebug("dispose %hu/%hu/%hu", + klist->delkey, klist->nkeys, klist->maxkeys); + call_rcu(&klist->rcu, keyring_unlink_rcu_disposal); + } + } else { + /* there's sufficient slack space to append directly */ + klist->keys[klist->nkeys] = key; + smp_wmb(); + klist->nkeys++; + } +} + +/* + * finish linking a key into to a keyring + * - must be called with __key_link_begin() having being called + */ +void __key_link_end(struct key *keyring, struct key_type *type, + struct keyring_list *prealloc) + __releases(&keyring->sem) +{ + BUG_ON(type == NULL); + BUG_ON(type->name == NULL); + kenter("%d,%s,%p", keyring->serial, type->name, prealloc); + + if (type == &key_type_keyring) + up_write(&keyring_serialise_link_sem); + + if (prealloc) { + kfree(prealloc); + key_payload_reserve(keyring, + keyring->datalen - KEYQUOTA_LINK_BYTES); + } + up_write(&keyring->sem); +} -/*****************************************************************************/ /* * link a key to a keyring */ int key_link(struct key *keyring, struct key *key) { + struct keyring_list *prealloc; int ret; key_check(keyring); key_check(key); - down_write(&keyring->sem); - ret = __key_link(keyring, key); - up_write(&keyring->sem); + ret = __key_link_begin(keyring, key->type, key->description, &prealloc); + if (ret == 0) { + ret = __key_link_check_live_key(keyring, key); + if (ret == 0) + __key_link(keyring, key, &prealloc); + __key_link_end(keyring, key->type, prealloc); + } return ret; - -} /* end key_link() */ +} EXPORT_SYMBOL(key_link); @@ -868,7 +916,7 @@ int key_unlink(struct key *keyring, struct key *key) down_write(&keyring->sem); - klist = keyring->payload.subscriptions; + klist = rcu_dereference_locked_keyring(keyring); if (klist) { /* search the keyring for the key */ for (loop = 0; loop < klist->nkeys; loop++) @@ -959,7 +1007,7 @@ int keyring_clear(struct key *keyring) /* detach the pointer block with the locks held */ down_write(&keyring->sem); - klist = keyring->payload.subscriptions; + klist = rcu_dereference_locked_keyring(keyring); if (klist) { /* adjust the quota */ key_payload_reserve(keyring, @@ -991,7 +1039,9 @@ EXPORT_SYMBOL(keyring_clear); */ static void keyring_revoke(struct key *keyring) { - struct keyring_list *klist = keyring->payload.subscriptions; + struct keyring_list *klist; + + klist = rcu_dereference_locked_keyring(keyring); /* adjust the quota */ key_payload_reserve(keyring, 0); @@ -1025,7 +1075,7 @@ void keyring_gc(struct key *keyring, time_t limit) down_write(&keyring->sem); - klist = keyring->payload.subscriptions; + klist = rcu_dereference_locked_keyring(keyring); if (!klist) goto no_klist; diff --git a/security/keys/permission.c b/security/keys/permission.c index 0ed802c9e69..28645502cd0 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c @@ -109,7 +109,7 @@ int key_validate(struct key *key) } } - error: +error: return ret; } /* end key_validate() */ diff --git a/security/keys/proc.c b/security/keys/proc.c index 706d63f4f18..068b66ea2f1 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -306,7 +306,7 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) { (*_pos)++; - return key_user_next((struct rb_node *) v); + return key_user_next((struct rb_node *)v); } static void proc_key_users_stop(struct seq_file *p, void *v) diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 06c2ccf26ed..20a38fed61b 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c @@ -508,7 +508,7 @@ try_again: ret = install_thread_keyring(); if (ret < 0) { - key = ERR_PTR(ret); + key_ref = ERR_PTR(ret); goto error; } goto reget_creds; @@ -526,7 +526,7 @@ try_again: ret = install_process_keyring(); if (ret < 0) { - key = ERR_PTR(ret); + key_ref = ERR_PTR(ret); goto error; } goto reget_creds; @@ -585,7 +585,7 @@ try_again: case KEY_SPEC_GROUP_KEYRING: /* group keyrings are not yet supported */ - key = ERR_PTR(-EINVAL); + key_ref = ERR_PTR(-EINVAL); goto error; case KEY_SPEC_REQKEY_AUTH_KEY: diff --git a/security/keys/request_key.c b/security/keys/request_key.c index d737cea5347..f656e9c069e 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -94,7 +94,7 @@ static int call_sbin_request_key(struct key_construction *cons, } /* attach the auth key to the session keyring */ - ret = __key_link(keyring, authkey); + ret = key_link(keyring, authkey); if (ret < 0) goto error_link; @@ -299,12 +299,15 @@ static int construct_alloc_key(struct key_type *type, struct key_user *user, struct key **_key) { + struct keyring_list *prealloc; const struct cred *cred = current_cred(); struct key *key; key_ref_t key_ref; + int ret; kenter("%s,%s,,,", type->name, description); + *_key = NULL; mutex_lock(&user->cons_lock); key = key_alloc(type, description, cred->fsuid, cred->fsgid, cred, @@ -314,8 +317,12 @@ static int construct_alloc_key(struct key_type *type, set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); - if (dest_keyring) - down_write(&dest_keyring->sem); + if (dest_keyring) { + ret = __key_link_begin(dest_keyring, type, description, + &prealloc); + if (ret < 0) + goto link_prealloc_failed; + } /* attach the key to the destination keyring under lock, but we do need * to do another check just in case someone beat us to it whilst we @@ -327,31 +334,49 @@ static int construct_alloc_key(struct key_type *type, goto key_already_present; if (dest_keyring) - __key_link(dest_keyring, key); + __key_link(dest_keyring, key, &prealloc); mutex_unlock(&key_construction_mutex); if (dest_keyring) - up_write(&dest_keyring->sem); + __key_link_end(dest_keyring, type, prealloc); mutex_unlock(&user->cons_lock); *_key = key; kleave(" = 0 [%d]", key_serial(key)); return 0; + /* the key is now present - we tell the caller that we found it by + * returning -EINPROGRESS */ key_already_present: + key_put(key); mutex_unlock(&key_construction_mutex); + key = key_ref_to_ptr(key_ref); if (dest_keyring) { - __key_link(dest_keyring, key_ref_to_ptr(key_ref)); - up_write(&dest_keyring->sem); + ret = __key_link_check_live_key(dest_keyring, key); + if (ret == 0) + __key_link(dest_keyring, key, &prealloc); + __key_link_end(dest_keyring, type, prealloc); + if (ret < 0) + goto link_check_failed; } mutex_unlock(&user->cons_lock); - key_put(key); - *_key = key = key_ref_to_ptr(key_ref); + *_key = key; kleave(" = -EINPROGRESS [%d]", key_serial(key)); return -EINPROGRESS; +link_check_failed: + mutex_unlock(&user->cons_lock); + key_put(key); + kleave(" = %d [linkcheck]", ret); + return ret; + +link_prealloc_failed: + up_write(&dest_keyring->sem); + mutex_unlock(&user->cons_lock); + kleave(" = %d [prelink]", ret); + return ret; + alloc_failed: mutex_unlock(&user->cons_lock); - *_key = NULL; kleave(" = %ld", PTR_ERR(key)); return PTR_ERR(key); } @@ -390,6 +415,10 @@ static struct key *construct_key_and_link(struct key_type *type, kdebug("cons failed"); goto construction_failed; } + } else if (ret == -EINPROGRESS) { + ret = 0; + } else { + key = ERR_PTR(ret); } key_put(dest_keyring); @@ -422,6 +451,7 @@ struct key *request_key_and_link(struct key_type *type, const struct cred *cred = current_cred(); struct key *key; key_ref_t key_ref; + int ret; kenter("%s,%s,%p,%zu,%p,%p,%lx", type->name, description, callout_info, callout_len, aux, @@ -435,8 +465,13 @@ struct key *request_key_and_link(struct key_type *type, key = key_ref_to_ptr(key_ref); if (dest_keyring) { construct_get_dest_keyring(&dest_keyring); - key_link(dest_keyring, key); + ret = key_link(dest_keyring, key); key_put(dest_keyring); + if (ret < 0) { + key_put(key); + key = ERR_PTR(ret); + goto error; + } } } else if (PTR_ERR(key_ref) != -EAGAIN) { key = ERR_CAST(key_ref); diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 7c687d56822..e9aa0792965 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -199,7 +199,8 @@ long user_read(const struct key *key, char __user *buffer, size_t buflen) struct user_key_payload *upayload; long ret; - upayload = rcu_dereference(key->payload.data); + upayload = rcu_dereference_protected( + key->payload.data, rwsem_is_locked(&((struct key *)key)->sem)); ret = upayload->datalen; /* we can return the data as is */ diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 893365b79a2..908aa712816 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -221,7 +221,7 @@ static void dump_common_audit_data(struct audit_buffer *ab, } switch (a->type) { - case LSM_AUDIT_NO_AUDIT: + case LSM_AUDIT_DATA_NONE: return; case LSM_AUDIT_DATA_IPC: audit_log_format(ab, " key=%d ", a->u.ipc_id); diff --git a/security/min_addr.c b/security/min_addr.c index e86f297522b..f728728f193 100644 --- a/security/min_addr.c +++ b/security/min_addr.c @@ -33,7 +33,7 @@ int mmap_min_addr_handler(struct ctl_table *table, int write, { int ret; - if (!capable(CAP_SYS_RAWIO)) + if (write && !capable(CAP_SYS_RAWIO)) return -EPERM; ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); diff --git a/security/security.c b/security/security.c index 687c6fd14bb..351942a4ca0 100644 --- a/security/security.c +++ b/security/security.c @@ -23,14 +23,14 @@ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; /* things that live in capability.c */ -extern void security_fixup_ops(struct security_operations *ops); +extern void __init security_fixup_ops(struct security_operations *ops); static struct security_operations *security_ops; static struct security_operations default_security_ops = { .name = "default", }; -static inline int verify(struct security_operations *ops) +static inline int __init verify(struct security_operations *ops) { /* verify the security_operations structure exists */ if (!ops) @@ -117,7 +117,7 @@ int __init security_module_enable(struct security_operations *ops) * If there is already a security module registered with the kernel, * an error will be returned. Otherwise %0 is returned on success. */ -int register_security(struct security_operations *ops) +int __init register_security(struct security_operations *ops) { if (verify(ops)) { printk(KERN_DEBUG "%s could not verify " @@ -190,11 +190,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap) return ret; } -int security_acct(struct file *file) -{ - return security_ops->acct(file); -} - int security_sysctl(struct ctl_table *table, int op) { return security_ops->sysctl(table, op); @@ -306,46 +301,16 @@ int security_sb_mount(char *dev_name, struct path *path, return security_ops->sb_mount(dev_name, path, type, flags, data); } -int security_sb_check_sb(struct vfsmount *mnt, struct path *path) -{ - return security_ops->sb_check_sb(mnt, path); -} - int security_sb_umount(struct vfsmount *mnt, int flags) { return security_ops->sb_umount(mnt, flags); } -void security_sb_umount_close(struct vfsmount *mnt) -{ - security_ops->sb_umount_close(mnt); -} - -void security_sb_umount_busy(struct vfsmount *mnt) -{ - security_ops->sb_umount_busy(mnt); -} - -void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data) -{ - security_ops->sb_post_remount(mnt, flags, data); -} - -void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint) -{ - security_ops->sb_post_addmount(mnt, mountpoint); -} - int security_sb_pivotroot(struct path *old_path, struct path *new_path) { return security_ops->sb_pivotroot(old_path, new_path); } -void security_sb_post_pivotroot(struct path *old_path, struct path *new_path) -{ - security_ops->sb_post_pivotroot(old_path, new_path); -} - int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts) { @@ -580,13 +545,6 @@ int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) return security_ops->inode_getattr(mnt, dentry); } -void security_inode_delete(struct inode *inode) -{ - if (unlikely(IS_PRIVATE(inode))) - return; - security_ops->inode_delete(inode); -} - int security_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { @@ -749,11 +707,6 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp) return security_ops->cred_prepare(new, old, gfp); } -void security_commit_creds(struct cred *new, const struct cred *old) -{ - security_ops->cred_commit(new, old); -} - void security_transfer_creds(struct cred *new, const struct cred *old) { security_ops->cred_transfer(new, old); @@ -774,22 +727,12 @@ int security_kernel_module_request(char *kmod_name) return security_ops->kernel_module_request(kmod_name); } -int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) -{ - return security_ops->task_setuid(id0, id1, id2, flags); -} - int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags) { return security_ops->task_fix_setuid(new, old, flags); } -int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) -{ - return security_ops->task_setgid(id0, id1, id2, flags); -} - int security_task_setpgid(struct task_struct *p, pid_t pgid) { return security_ops->task_setpgid(p, pgid); @@ -811,11 +754,6 @@ void security_task_getsecid(struct task_struct *p, u32 *secid) } EXPORT_SYMBOL(security_task_getsecid); -int security_task_setgroups(struct group_info *group_info) -{ - return security_ops->task_setgroups(group_info); -} - int security_task_setnice(struct task_struct *p, int nice) { return security_ops->task_setnice(p, nice); @@ -1319,13 +1257,6 @@ int security_key_getsecurity(struct key *key, char **_buffer) return security_ops->key_getsecurity(key, _buffer); } -int security_key_session_to_parent(const struct cred *cred, - const struct cred *parent_cred, - struct key *key) -{ - return security_ops->key_session_to_parent(cred, parent_cred, key); -} - #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 989fef82563..7f1a304712a 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -499,8 +499,7 @@ void avc_audit(u32 ssid, u32 tsid, return; if (!a) { a = &stack_data; - memset(a, 0, sizeof(*a)); - a->type = LSM_AUDIT_NO_AUDIT; + COMMON_AUDIT_DATA_INIT(a, NONE); } a->selinux_audit_data.tclass = tclass; a->selinux_audit_data.requested = requested; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5feecb41009..a03fd74602b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -293,28 +293,28 @@ static void superblock_free_security(struct super_block *sb) static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) { - struct sk_security_struct *ssec; + struct sk_security_struct *sksec; - ssec = kzalloc(sizeof(*ssec), priority); - if (!ssec) + sksec = kzalloc(sizeof(*sksec), priority); + if (!sksec) return -ENOMEM; - ssec->peer_sid = SECINITSID_UNLABELED; - ssec->sid = SECINITSID_UNLABELED; - sk->sk_security = ssec; + sksec->peer_sid = SECINITSID_UNLABELED; + sksec->sid = SECINITSID_UNLABELED; + sk->sk_security = sksec; - selinux_netlbl_sk_security_reset(ssec); + selinux_netlbl_sk_security_reset(sksec); return 0; } static void sk_free_security(struct sock *sk) { - struct sk_security_struct *ssec = sk->sk_security; + struct sk_security_struct *sksec = sk->sk_security; sk->sk_security = NULL; - selinux_netlbl_sk_security_free(ssec); - kfree(ssec); + selinux_netlbl_sk_security_free(sksec); + kfree(sksec); } /* The security server must be initialized before @@ -323,7 +323,7 @@ extern int ss_initialized; /* The file system's label must be initialized prior to use. */ -static char *labeling_behaviors[6] = { +static const char *labeling_behaviors[6] = { "uses xattr", "uses transition SIDs", "uses task SIDs", @@ -2999,13 +2999,15 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, return file_has_perm(cred, file, av); } +static int default_noexec; + static int file_map_prot_check(struct file *file, unsigned long prot, int shared) { const struct cred *cred = current_cred(); int rc = 0; -#ifndef CONFIG_PPC32 - if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { + if (default_noexec && + (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { /* * We are making executable an anonymous mapping or a * private file mapping that will also be writable. @@ -3015,7 +3017,6 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared if (rc) goto error; } -#endif if (file) { /* read access is always possible with a mapping */ @@ -3076,8 +3077,8 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, if (selinux_checkreqprot) prot = reqprot; -#ifndef CONFIG_PPC32 - if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { + if (default_noexec && + (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { int rc = 0; if (vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <= vma->vm_mm->brk) { @@ -3099,7 +3100,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, if (rc) return rc; } -#endif return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); } @@ -4002,7 +4002,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, struct socket *other, struct sock *newsk) { - struct sk_security_struct *ssec; + struct sk_security_struct *sksec; struct inode_security_struct *isec; struct inode_security_struct *other_isec; struct common_audit_data ad; @@ -4021,13 +4021,13 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, return err; /* connecting socket */ - ssec = sock->sk->sk_security; - ssec->peer_sid = other_isec->sid; + sksec = sock->sk->sk_security; + sksec->peer_sid = other_isec->sid; /* server child socket */ - ssec = newsk->sk_security; - ssec->peer_sid = isec->sid; - err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid); + sksec = newsk->sk_security; + sksec->peer_sid = isec->sid; + err = security_sid_mls_copy(other_isec->sid, sksec->peer_sid, &sksec->sid); return err; } @@ -4190,7 +4190,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op int err = 0; char *scontext; u32 scontext_len; - struct sk_security_struct *ssec; + struct sk_security_struct *sksec; struct inode_security_struct *isec; u32 peer_sid = SECSID_NULL; @@ -4198,8 +4198,8 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET || isec->sclass == SECCLASS_TCP_SOCKET) { - ssec = sock->sk->sk_security; - peer_sid = ssec->peer_sid; + sksec = sock->sk->sk_security; + peer_sid = sksec->peer_sid; } if (peer_sid == SECSID_NULL) { err = -ENOPROTOOPT; @@ -4266,14 +4266,14 @@ static void selinux_sk_free_security(struct sock *sk) static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct sk_security_struct *ssec = sk->sk_security; - struct sk_security_struct *newssec = newsk->sk_security; + struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *newsksec = newsk->sk_security; - newssec->sid = ssec->sid; - newssec->peer_sid = ssec->peer_sid; - newssec->sclass = ssec->sclass; + newsksec->sid = sksec->sid; + newsksec->peer_sid = sksec->peer_sid; + newsksec->sclass = sksec->sclass; - selinux_netlbl_sk_security_reset(newssec); + selinux_netlbl_sk_security_reset(newsksec); } static void selinux_sk_getsecid(struct sock *sk, u32 *secid) @@ -5662,6 +5662,8 @@ static __init int selinux_init(void) /* Set the security state for the initial task. */ cred_init_security(); + default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); + sel_inode_cache = kmem_cache_create("selinux_inode_security", sizeof(struct inode_security_struct), 0, SLAB_PANIC, NULL); diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h index d4fac82793a..a59b64e3fd0 100644 --- a/security/selinux/include/initial_sid_to_string.h +++ b/security/selinux/include/initial_sid_to_string.h @@ -1,5 +1,5 @@ /* This file is automatically generated. Do not edit. */ -static char *initial_sid_to_string[] = +static const char *initial_sid_to_string[] = { "null", "kernel", diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index 8d7384280a7..cf2f628e6e2 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h @@ -42,8 +42,8 @@ void selinux_netlbl_cache_invalidate(void); void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway); -void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec); -void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec); +void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec); +void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec); int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u16 family, @@ -79,13 +79,13 @@ static inline void selinux_netlbl_err(struct sk_buff *skb, } static inline void selinux_netlbl_sk_security_free( - struct sk_security_struct *ssec) + struct sk_security_struct *sksec) { return; } static inline void selinux_netlbl_sk_security_reset( - struct sk_security_struct *ssec) + struct sk_security_struct *sksec) { return; } diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 628da72ee76..1c2fc46544b 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -132,21 +132,21 @@ void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway) /** * selinux_netlbl_sk_security_free - Free the NetLabel fields - * @sssec: the sk_security_struct + * @sksec: the sk_security_struct * * Description: * Free all of the memory in the NetLabel fields of a sk_security_struct. * */ -void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec) +void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec) { - if (ssec->nlbl_secattr != NULL) - netlbl_secattr_free(ssec->nlbl_secattr); + if (sksec->nlbl_secattr != NULL) + netlbl_secattr_free(sksec->nlbl_secattr); } /** * selinux_netlbl_sk_security_reset - Reset the NetLabel fields - * @ssec: the sk_security_struct + * @sksec: the sk_security_struct * @family: the socket family * * Description: @@ -154,9 +154,9 @@ void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec) * The caller is responsibile for all the NetLabel sk_security_struct locking. * */ -void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec) +void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec) { - ssec->nlbl_state = NLBL_UNSET; + sksec->nlbl_state = NLBL_UNSET; } /** diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c index 0e147b6914a..36ac257cec9 100644 --- a/security/selinux/netlink.c +++ b/security/selinux/netlink.c @@ -14,7 +14,6 @@ #include <linux/slab.h> #include <linux/stddef.h> #include <linux/kernel.h> -#include <linux/list.h> #include <linux/skbuff.h> #include <linux/netlink.h> #include <linux/selinux_netlink.h> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index dd7cc6de77f..75ec0c6ebac 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -11,7 +11,6 @@ */ #include <linux/types.h> #include <linux/kernel.h> -#include <linux/skbuff.h> #include <linux/netlink.h> #include <linux/rtnetlink.h> #include <linux/if.h> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index cd191bbec03..0293843f7ed 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -503,11 +503,11 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) return length; length = -ENOMEM; - scon = kzalloc(size+1, GFP_KERNEL); + scon = kzalloc(size + 1, GFP_KERNEL); if (!scon) return length; - tcon = kzalloc(size+1, GFP_KERNEL); + tcon = kzalloc(size + 1, GFP_KERNEL); if (!tcon) goto out; @@ -515,10 +515,10 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out2; - length = security_context_to_sid(scon, strlen(scon)+1, &ssid); + length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); if (length < 0) goto out2; - length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); + length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid); if (length < 0) goto out2; @@ -550,11 +550,11 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size) return length; length = -ENOMEM; - scon = kzalloc(size+1, GFP_KERNEL); + scon = kzalloc(size + 1, GFP_KERNEL); if (!scon) return length; - tcon = kzalloc(size+1, GFP_KERNEL); + tcon = kzalloc(size + 1, GFP_KERNEL); if (!tcon) goto out; @@ -562,10 +562,10 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out2; - length = security_context_to_sid(scon, strlen(scon)+1, &ssid); + length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); if (length < 0) goto out2; - length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); + length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid); if (length < 0) goto out2; @@ -609,11 +609,11 @@ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size) return length; length = -ENOMEM; - scon = kzalloc(size+1, GFP_KERNEL); + scon = kzalloc(size + 1, GFP_KERNEL); if (!scon) return length; - tcon = kzalloc(size+1, GFP_KERNEL); + tcon = kzalloc(size + 1, GFP_KERNEL); if (!tcon) goto out; @@ -621,10 +621,10 @@ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out2; - length = security_context_to_sid(scon, strlen(scon)+1, &ssid); + length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); if (length < 0) goto out2; - length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); + length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid); if (length < 0) goto out2; @@ -666,11 +666,11 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size) return length; length = -ENOMEM; - con = kzalloc(size+1, GFP_KERNEL); + con = kzalloc(size + 1, GFP_KERNEL); if (!con) return length; - user = kzalloc(size+1, GFP_KERNEL); + user = kzalloc(size + 1, GFP_KERNEL); if (!user) goto out; @@ -678,7 +678,7 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s", con, user) != 2) goto out2; - length = security_context_to_sid(con, strlen(con)+1, &sid); + length = security_context_to_sid(con, strlen(con) + 1, &sid); if (length < 0) goto out2; @@ -727,11 +727,11 @@ static ssize_t sel_write_member(struct file *file, char *buf, size_t size) return length; length = -ENOMEM; - scon = kzalloc(size+1, GFP_KERNEL); + scon = kzalloc(size + 1, GFP_KERNEL); if (!scon) return length; - tcon = kzalloc(size+1, GFP_KERNEL); + tcon = kzalloc(size + 1, GFP_KERNEL); if (!tcon) goto out; @@ -739,10 +739,10 @@ static ssize_t sel_write_member(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out2; - length = security_context_to_sid(scon, strlen(scon)+1, &ssid); + length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); if (length < 0) goto out2; - length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); + length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid); if (length < 0) goto out2; @@ -1401,7 +1401,7 @@ static int sel_make_perm_files(char *objclass, int classvalue, } inode->i_fop = &sel_perm_ops; /* i+1 since perm values are 1-indexed */ - inode->i_ino = sel_perm_to_ino(classvalue, i+1); + inode->i_ino = sel_perm_to_ino(classvalue, i + 1); d_add(dentry, inode); } @@ -1489,7 +1489,7 @@ static int sel_make_classes(void) goto out; /* +2 since classes are 1-indexed */ - last_class_ino = sel_class_to_ino(nclasses+2); + last_class_ino = sel_class_to_ino(nclasses + 2); for (i = 0; i < nclasses; i++) { struct dentry *class_name_dir; @@ -1506,7 +1506,7 @@ static int sel_make_classes(void) goto out1; /* i+1 since class values are 1-indexed */ - rc = sel_make_class_dir_entries(classes[i], i+1, + rc = sel_make_class_dir_entries(classes[i], i + 1, class_name_dir); if (rc) goto out1; diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 372b773f821..b4eff7a60c5 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -255,7 +255,7 @@ int mls_context_to_sid(struct policydb *pol, if (!pol->mls_enabled) { if (def_sid != SECSID_NULL && oldc) - *scontext += strlen(*scontext)+1; + *scontext += strlen(*scontext) + 1; return 0; } diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 23c6e53c102..c57802a164d 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -40,7 +40,7 @@ #define _DEBUG_HASHES #ifdef DEBUG_HASHES -static char *symtab_name[SYM_NUM] = { +static const char *symtab_name[SYM_NUM] = { "common prefixes", "classes", "roles", @@ -156,12 +156,11 @@ static int roles_init(struct policydb *p) rc = -EINVAL; goto out_free_role; } - key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL); + key = kstrdup(OBJECT_R, GFP_KERNEL); if (!key) { rc = -ENOMEM; goto out_free_role; } - strcpy(key, OBJECT_R); rc = hashtab_insert(p->p_roles.table, key, role); if (rc) goto out_free_key; @@ -2195,7 +2194,7 @@ int policydb_read(struct policydb *p, void *fp) rangetr_hash_eval(p->range_tr); } - p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL); + p->type_attr_map = kmalloc(p->p_types.nprim * sizeof(struct ebitmap), GFP_KERNEL); if (!p->type_attr_map) goto bad; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index cf27b3ee1a9..1de60ce90d9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -274,15 +274,15 @@ static int constraint_expr_eval(struct context *scontext, case CEXPR_AND: BUG_ON(sp < 1); sp--; - s[sp] &= s[sp+1]; + s[sp] &= s[sp + 1]; break; case CEXPR_OR: BUG_ON(sp < 1); sp--; - s[sp] |= s[sp+1]; + s[sp] |= s[sp + 1]; break; case CEXPR_ATTR: - if (sp == (CEXPR_MAXDEPTH-1)) + if (sp == (CEXPR_MAXDEPTH - 1)) return 0; switch (e->attr) { case CEXPR_USER: @@ -1216,7 +1216,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, *sid = SECSID_NULL; /* Copy the string so that we can modify the copy as we parse it. */ - scontext2 = kmalloc(scontext_len+1, gfp_flags); + scontext2 = kmalloc(scontext_len + 1, gfp_flags); if (!scontext2) return -ENOMEM; memcpy(scontext2, scontext, scontext_len); @@ -1760,22 +1760,28 @@ int security_load_policy(void *data, size_t len) if (!ss_initialized) { avtab_cache_init(); - if (policydb_read(&policydb, fp)) { + rc = policydb_read(&policydb, fp); + if (rc) { avtab_cache_destroy(); - return -EINVAL; + return rc; } - if (selinux_set_mapping(&policydb, secclass_map, - ¤t_mapping, - ¤t_mapping_size)) { + + rc = selinux_set_mapping(&policydb, secclass_map, + ¤t_mapping, + ¤t_mapping_size); + if (rc) { policydb_destroy(&policydb); avtab_cache_destroy(); - return -EINVAL; + return rc; } - if (policydb_load_isids(&policydb, &sidtab)) { + + rc = policydb_load_isids(&policydb, &sidtab); + if (rc) { policydb_destroy(&policydb); avtab_cache_destroy(); - return -EINVAL; + return rc; } + security_load_policycaps(); ss_initialized = 1; seqno = ++latest_granting; @@ -1791,8 +1797,9 @@ int security_load_policy(void *data, size_t len) sidtab_hash_eval(&sidtab, "sids"); #endif - if (policydb_read(&newpolicydb, fp)) - return -EINVAL; + rc = policydb_read(&newpolicydb, fp); + if (rc) + return rc; /* If switching between different policy types, log MLS status */ if (policydb.mls_enabled && !newpolicydb.mls_enabled) @@ -1807,8 +1814,8 @@ int security_load_policy(void *data, size_t len) return rc; } - if (selinux_set_mapping(&newpolicydb, secclass_map, - &map, &map_size)) + rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size); + if (rc) goto err; rc = security_preserve_bools(&newpolicydb); @@ -1819,10 +1826,10 @@ int security_load_policy(void *data, size_t len) /* Clone the SID table. */ sidtab_shutdown(&sidtab); - if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { - rc = -ENOMEM; + + rc = sidtab_map(&sidtab, clone_sid, &newsidtab); + if (rc) goto err; - } /* * Convert the internal representations of contexts @@ -2101,9 +2108,9 @@ int security_get_user_sids(u32 fromsid, ebitmap_for_each_positive_bit(&user->roles, rnode, i) { role = policydb.role_val_to_struct[i]; - usercon.role = i+1; + usercon.role = i + 1; ebitmap_for_each_positive_bit(&role->types, tnode, j) { - usercon.type = j+1; + usercon.type = j + 1; if (mls_setup_user_range(fromcon, user, &usercon)) continue; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index fdfeaa2f28e..0f2fc480fc6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -19,7 +19,6 @@ #include <linux/pagemap.h> #include <linux/mount.h> #include <linux/stat.h> -#include <linux/ext2_fs.h> #include <linux/kd.h> #include <asm/ioctls.h> #include <linux/ip.h> @@ -1119,15 +1118,6 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, } /** - * smack_cred_commit - commit new credentials - * @new: the new credentials - * @old: the original credentials - */ -static void smack_cred_commit(struct cred *new, const struct cred *old) -{ -} - -/** * smack_cred_transfer - Transfer the old credentials to the new credentials * @new: the new credentials * @old: the original credentials @@ -3121,7 +3111,6 @@ struct security_operations smack_ops = { .cred_alloc_blank = smack_cred_alloc_blank, .cred_free = smack_cred_free, .cred_prepare = smack_cred_prepare, - .cred_commit = smack_cred_commit, .cred_transfer = smack_cred_transfer, .kernel_act_as = smack_kernel_act_as, .kernel_create_files_as = smack_kernel_create_files_as, diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile index 60a9e2002da..4fb39030f6b 100644 --- a/security/tomoyo/Makefile +++ b/security/tomoyo/Makefile @@ -1 +1 @@ -obj-y = common.o realpath.o tomoyo.o domain.o file.o gc.o +obj-y = common.o realpath.o tomoyo.o domain.o file.o gc.o path_group.o diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 975c45d88ba..b5dbdc9ff73 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -76,6 +76,49 @@ static int tomoyo_write_control(struct file *file, const char __user *buffer, const int buffer_len); /** + * tomoyo_parse_name_union - Parse a tomoyo_name_union. + * + * @filename: Name or name group. + * @ptr: Pointer to "struct tomoyo_name_union". + * + * Returns true on success, false otherwise. + */ +bool tomoyo_parse_name_union(const char *filename, + struct tomoyo_name_union *ptr) +{ + if (!tomoyo_is_correct_path(filename, 0, 0, 0)) + return false; + if (filename[0] == '@') { + ptr->group = tomoyo_get_path_group(filename + 1); + ptr->is_group = true; + return ptr->group != NULL; + } + ptr->filename = tomoyo_get_name(filename); + ptr->is_group = false; + return ptr->filename != NULL; +} + +/** + * tomoyo_print_name_union - Print a tomoyo_name_union. + * + * @head: Pointer to "struct tomoyo_io_buffer". + * @ptr: Pointer to "struct tomoyo_name_union". + * + * Returns true on success, false otherwise. + */ +static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head, + const struct tomoyo_name_union *ptr) +{ + int pos = head->read_avail; + if (pos && head->read_buf[pos - 1] == ' ') + head->read_avail--; + if (ptr->is_group) + return tomoyo_io_printf(head, " @%s", + ptr->group->group_name->name); + return tomoyo_io_printf(head, " %s", ptr->filename->name); +} + +/** * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value. * * @str: Pointer to the string. @@ -172,6 +215,33 @@ static void tomoyo_normalize_line(unsigned char *buffer) } /** + * tomoyo_tokenize - Tokenize string. + * + * @buffer: The line to tokenize. + * @w: Pointer to "char *". + * @size: Sizeof @w . + * + * Returns true on success, false otherwise. + */ +bool tomoyo_tokenize(char *buffer, char *w[], size_t size) +{ + int count = size / sizeof(char *); + int i; + for (i = 0; i < count; i++) + w[i] = ""; + for (i = 0; i < count; i++) { + char *cp = strchr(buffer, ' '); + if (cp) + *cp = '\0'; + w[i] = buffer; + if (!cp) + break; + buffer = cp + 1; + } + return i < count || !*buffer; +} + +/** * tomoyo_is_correct_path - Validate a pathname. * @filename: The pathname to check. * @start_type: Should the pathname start with '/'? @@ -874,17 +944,17 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain) static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned int profile) { - static DEFINE_MUTEX(lock); struct tomoyo_profile *ptr = NULL; int i; if (profile >= TOMOYO_MAX_PROFILES) return NULL; - mutex_lock(&lock); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + return NULL; ptr = tomoyo_profile_ptr[profile]; if (ptr) goto ok; - ptr = kmalloc(sizeof(*ptr), GFP_KERNEL); + ptr = kmalloc(sizeof(*ptr), GFP_NOFS); if (!tomoyo_memory_ok(ptr)) { kfree(ptr); ptr = NULL; @@ -895,7 +965,7 @@ static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned mb(); /* Avoid out-of-order execution. */ tomoyo_profile_ptr[profile] = ptr; ok: - mutex_unlock(&lock); + mutex_unlock(&tomoyo_policy_lock); return ptr; } @@ -1071,44 +1141,42 @@ LIST_HEAD(tomoyo_policy_manager_list); static int tomoyo_update_manager_entry(const char *manager, const bool is_delete) { - struct tomoyo_policy_manager_entry *entry = NULL; struct tomoyo_policy_manager_entry *ptr; - const struct tomoyo_path_info *saved_manager; + struct tomoyo_policy_manager_entry e = { }; int error = is_delete ? -ENOENT : -ENOMEM; - bool is_domain = false; if (tomoyo_is_domain_def(manager)) { if (!tomoyo_is_correct_domain(manager)) return -EINVAL; - is_domain = true; + e.is_domain = true; } else { if (!tomoyo_is_correct_path(manager, 1, -1, -1)) return -EINVAL; } - saved_manager = tomoyo_get_name(manager); - if (!saved_manager) + e.manager = tomoyo_get_name(manager); + if (!e.manager) return -ENOMEM; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + goto out; list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { - if (ptr->manager != saved_manager) + if (ptr->manager != e.manager) continue; ptr->is_deleted = is_delete; error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->manager = saved_manager; - saved_manager = NULL; - entry->is_domain = is_domain; - list_add_tail_rcu(&entry->list, &tomoyo_policy_manager_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_policy_manager_entry *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->list, + &tomoyo_policy_manager_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); - tomoyo_put_name(saved_manager); - kfree(entry); + out: + tomoyo_put_name(e.manager); return error; } @@ -1287,7 +1355,8 @@ static int tomoyo_delete_domain(char *domainname) name.name = domainname; tomoyo_fill_path_info(&name); - mutex_lock(&tomoyo_policy_lock); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + return 0; /* Is there an active domain? */ list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { /* Never delete tomoyo_kernel_domain */ @@ -1369,23 +1438,20 @@ static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head, { int pos; u8 bit; - const char *atmark = ""; - const char *filename; const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16); - filename = ptr->filename->name; for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { - const char *msg; if (!(perm & (1 << bit))) continue; /* Print "read/write" instead of "read" and "write". */ if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) continue; - msg = tomoyo_path2keyword(bit); pos = head->read_avail; - if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg, - atmark, filename)) + if (!tomoyo_io_printf(head, "allow_%s ", + tomoyo_path2keyword(bit)) || + !tomoyo_print_name_union(head, &ptr->name) || + !tomoyo_io_printf(head, "\n")) goto out; } head->read_bit = 0; @@ -1408,23 +1474,18 @@ static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head, struct tomoyo_path2_acl *ptr) { int pos; - const char *atmark1 = ""; - const char *atmark2 = ""; - const char *filename1; - const char *filename2; const u8 perm = ptr->perm; u8 bit; - filename1 = ptr->filename1->name; - filename2 = ptr->filename2->name; for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { - const char *msg; if (!(perm & (1 << bit))) continue; - msg = tomoyo_path22keyword(bit); pos = head->read_avail; - if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg, - atmark1, filename1, atmark2, filename2)) + if (!tomoyo_io_printf(head, "allow_%s ", + tomoyo_path22keyword(bit)) || + !tomoyo_print_name_union(head, &ptr->name1) || + !tomoyo_print_name_union(head, &ptr->name2) || + !tomoyo_io_printf(head, "\n")) goto out; } head->read_bit = 0; @@ -1687,6 +1748,8 @@ static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) return tomoyo_write_pattern_policy(data, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) return tomoyo_write_no_rewrite_policy(data, is_delete); + if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP)) + return tomoyo_write_path_group_policy(data, is_delete); return -EINVAL; } @@ -1743,6 +1806,12 @@ static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) head->read_var2 = NULL; head->read_step = 9; case 9: + if (!tomoyo_read_path_group_policy(head)) + break; + head->read_var1 = NULL; + head->read_var2 = NULL; + head->read_step = 10; + case 10: head->read_eof = true; break; default: @@ -1886,7 +1955,7 @@ static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head) */ static int tomoyo_open_control(const u8 type, struct file *file) { - struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_KERNEL); + struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); if (!head) return -ENOMEM; @@ -1947,7 +2016,7 @@ static int tomoyo_open_control(const u8 type, struct file *file) } else { if (!head->readbuf_size) head->readbuf_size = 4096 * 2; - head->read_buf = kzalloc(head->readbuf_size, GFP_KERNEL); + head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); if (!head->read_buf) { kfree(head); return -ENOMEM; @@ -1961,7 +2030,7 @@ static int tomoyo_open_control(const u8 type, struct file *file) head->write = NULL; } else if (head->write) { head->writebuf_size = 4096 * 2; - head->write_buf = kzalloc(head->writebuf_size, GFP_KERNEL); + head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); if (!head->write_buf) { kfree(head->read_buf); kfree(head); diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 67bd22dd3e6..9f1ae5e3ba5 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -54,6 +54,7 @@ struct linux_binprm; #define TOMOYO_KEYWORD_KEEP_DOMAIN "keep_domain " #define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain " #define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain " +#define TOMOYO_KEYWORD_PATH_GROUP "path_group " #define TOMOYO_KEYWORD_SELECT "select " #define TOMOYO_KEYWORD_USE_PROFILE "use_profile " #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" @@ -204,6 +205,27 @@ struct tomoyo_path_info_with_data { char barrier2[16]; /* Safeguard for overrun. */ }; +struct tomoyo_name_union { + const struct tomoyo_path_info *filename; + struct tomoyo_path_group *group; + u8 is_group; +}; + +/* Structure for "path_group" directive. */ +struct tomoyo_path_group { + struct list_head list; + const struct tomoyo_path_info *group_name; + struct list_head member_list; + atomic_t users; +}; + +/* Structure for "path_group" directive. */ +struct tomoyo_path_group_member { + struct list_head list; + bool is_deleted; + const struct tomoyo_path_info *member_name; +}; + /* * tomoyo_acl_info is a structure which is used for holding * @@ -274,7 +296,7 @@ struct tomoyo_domain_info { * * (1) "head" which is a "struct tomoyo_acl_info". * (2) "perm" which is a bitmask of permitted operations. - * (3) "filename" is the pathname. + * (3) "name" is the pathname. * * Directives held by this structure are "allow_read/write", "allow_execute", * "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir", @@ -287,8 +309,7 @@ struct tomoyo_path_acl { struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */ u8 perm_high; u16 perm; - /* Pointer to single pathname. */ - const struct tomoyo_path_info *filename; + struct tomoyo_name_union name; }; /* @@ -298,8 +319,8 @@ struct tomoyo_path_acl { * * (1) "head" which is a "struct tomoyo_acl_info". * (2) "perm" which is a bitmask of permitted operations. - * (3) "filename1" is the source/old pathname. - * (4) "filename2" is the destination/new pathname. + * (3) "name1" is the source/old pathname. + * (4) "name2" is the destination/new pathname. * * Directives held by this structure are "allow_rename", "allow_link" and * "allow_pivot_root". @@ -307,10 +328,8 @@ struct tomoyo_path_acl { struct tomoyo_path2_acl { struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */ u8 perm; - /* Pointer to single pathname. */ - const struct tomoyo_path_info *filename1; - /* Pointer to single pathname. */ - const struct tomoyo_path_info *filename2; + struct tomoyo_name_union name1; + struct tomoyo_name_union name2; }; /* @@ -514,6 +533,9 @@ struct tomoyo_policy_manager_entry { /********** Function prototypes. **********/ +/* Check whether the given name matches the given name_union. */ +bool tomoyo_compare_name_union(const struct tomoyo_path_info *name, + const struct tomoyo_name_union *ptr); /* Check whether the domain has too many ACL entries to hold. */ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain); /* Transactional sprintf() for policy dump. */ @@ -526,6 +548,12 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, const s8 pattern_type, const s8 end_type); /* Check whether the token can be a domainname. */ bool tomoyo_is_domain_def(const unsigned char *buffer); +bool tomoyo_parse_name_union(const char *filename, + struct tomoyo_name_union *ptr); +/* Check whether the given filename matches the given path_group. */ +bool tomoyo_path_matches_group(const struct tomoyo_path_info *pathname, + const struct tomoyo_path_group *group, + const bool may_use_pattern); /* Check whether the given filename matches the given pattern. */ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, const struct tomoyo_path_info *pattern); @@ -540,10 +568,14 @@ bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head); bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head); /* Read "file_pattern" entry in exception policy. */ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head); +/* Read "path_group" entry in exception policy. */ +bool tomoyo_read_path_group_policy(struct tomoyo_io_buffer *head); /* Read "allow_read" entry in exception policy. */ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head); /* Read "deny_rewrite" entry in exception policy. */ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head); +/* Tokenize a line. */ +bool tomoyo_tokenize(char *buffer, char *w[], size_t size); /* Write domain policy violation warning message to console? */ bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); /* Convert double path operation to operation name. */ @@ -580,12 +612,18 @@ int tomoyo_write_globally_readable_policy(char *data, const bool is_delete); int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete); /* Create "file_pattern" entry in exception policy. */ int tomoyo_write_pattern_policy(char *data, const bool is_delete); +/* Create "path_group" entry in exception policy. */ +int tomoyo_write_path_group_policy(char *data, const bool is_delete); /* Find a domain by the given name. */ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); /* Find or create a domain by the given name. */ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * domainname, const u8 profile); + +/* Allocate memory for "struct tomoyo_path_group". */ +struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name); + /* Check mode for specified functionality. */ unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, const u8 index); @@ -616,6 +654,7 @@ char *tomoyo_realpath_from_path(struct path *path); /* Check memory quota. */ bool tomoyo_memory_ok(void *ptr); +void *tomoyo_commit_ok(void *data, const unsigned int size); /* * Keep the given name on the RAM. @@ -641,6 +680,9 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, int tomoyo_check_rewrite_permission(struct file *filp); int tomoyo_find_next_domain(struct linux_binprm *bprm); +/* Drop refcount on tomoyo_name_union. */ +void tomoyo_put_name_union(struct tomoyo_name_union *ptr); + /* Run garbage collector. */ void tomoyo_run_gc(void); @@ -654,6 +696,7 @@ extern struct srcu_struct tomoyo_ss; /* The list for "struct tomoyo_domain_info". */ extern struct list_head tomoyo_domain_list; +extern struct list_head tomoyo_path_group_list; extern struct list_head tomoyo_domain_initializer_list; extern struct list_head tomoyo_domain_keeper_list; extern struct list_head tomoyo_alias_list; @@ -662,7 +705,6 @@ extern struct list_head tomoyo_pattern_list; extern struct list_head tomoyo_no_rewrite_list; extern struct list_head tomoyo_policy_manager_list; extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; -extern struct mutex tomoyo_name_list_lock; /* Lock for protecting policy. */ extern struct mutex tomoyo_policy_lock; @@ -725,6 +767,12 @@ static inline void tomoyo_put_name(const struct tomoyo_path_info *name) } } +static inline void tomoyo_put_path_group(struct tomoyo_path_group *group) +{ + if (group) + atomic_dec(&group->users); +} + static inline struct tomoyo_domain_info *tomoyo_domain(void) { return current_cred()->security; @@ -736,6 +784,59 @@ static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct return task_cred_xxx(task, security); } +static inline bool tomoyo_is_same_acl_head(const struct tomoyo_acl_info *p1, + const struct tomoyo_acl_info *p2) +{ + return p1->type == p2->type; +} + +static inline bool tomoyo_is_same_name_union +(const struct tomoyo_name_union *p1, const struct tomoyo_name_union *p2) +{ + return p1->filename == p2->filename && p1->group == p2->group && + p1->is_group == p2->is_group; +} + +static inline bool tomoyo_is_same_path_acl(const struct tomoyo_path_acl *p1, + const struct tomoyo_path_acl *p2) +{ + return tomoyo_is_same_acl_head(&p1->head, &p2->head) && + tomoyo_is_same_name_union(&p1->name, &p2->name); +} + +static inline bool tomoyo_is_same_path2_acl(const struct tomoyo_path2_acl *p1, + const struct tomoyo_path2_acl *p2) +{ + return tomoyo_is_same_acl_head(&p1->head, &p2->head) && + tomoyo_is_same_name_union(&p1->name1, &p2->name1) && + tomoyo_is_same_name_union(&p1->name2, &p2->name2); +} + +static inline bool tomoyo_is_same_domain_initializer_entry +(const struct tomoyo_domain_initializer_entry *p1, + const struct tomoyo_domain_initializer_entry *p2) +{ + return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name + && p1->domainname == p2->domainname + && p1->program == p2->program; +} + +static inline bool tomoyo_is_same_domain_keeper_entry +(const struct tomoyo_domain_keeper_entry *p1, + const struct tomoyo_domain_keeper_entry *p2) +{ + return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name + && p1->domainname == p2->domainname + && p1->program == p2->program; +} + +static inline bool tomoyo_is_same_alias_entry +(const struct tomoyo_alias_entry *p1, const struct tomoyo_alias_entry *p2) +{ + return p1->original_name == p2->original_name && + p1->aliased_name == p2->aliased_name; +} + /** * list_for_each_cookie - iterate over a list with cookie. * @pos: the &struct list_head to use as a loop cursor. diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index acb8c397d5c..cd8ba444676 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -130,57 +130,47 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname, const bool is_not, const bool is_delete) { - struct tomoyo_domain_initializer_entry *entry = NULL; struct tomoyo_domain_initializer_entry *ptr; - const struct tomoyo_path_info *saved_program = NULL; - const struct tomoyo_path_info *saved_domainname = NULL; + struct tomoyo_domain_initializer_entry e = { .is_not = is_not }; int error = is_delete ? -ENOENT : -ENOMEM; - bool is_last_name = false; if (!tomoyo_is_correct_path(program, 1, -1, -1)) return -EINVAL; /* No patterns allowed. */ if (domainname) { if (!tomoyo_is_domain_def(domainname) && tomoyo_is_correct_path(domainname, 1, -1, -1)) - is_last_name = true; + e.is_last_name = true; else if (!tomoyo_is_correct_domain(domainname)) return -EINVAL; - saved_domainname = tomoyo_get_name(domainname); - if (!saved_domainname) + e.domainname = tomoyo_get_name(domainname); + if (!e.domainname) goto out; } - saved_program = tomoyo_get_name(program); - if (!saved_program) + e.program = tomoyo_get_name(program); + if (!e.program) + goto out; + if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) { - if (ptr->is_not != is_not || - ptr->domainname != saved_domainname || - ptr->program != saved_program) + if (!tomoyo_is_same_domain_initializer_entry(ptr, &e)) continue; ptr->is_deleted = is_delete; error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->domainname = saved_domainname; - saved_domainname = NULL; - entry->program = saved_program; - saved_program = NULL; - entry->is_not = is_not; - entry->is_last_name = is_last_name; - list_add_tail_rcu(&entry->list, - &tomoyo_domain_initializer_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_domain_initializer_entry *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->list, + &tomoyo_domain_initializer_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); out: - tomoyo_put_name(saved_domainname); - tomoyo_put_name(saved_program); - kfree(entry); + tomoyo_put_name(e.domainname); + tomoyo_put_name(e.program); return error; } @@ -350,56 +340,47 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname, const bool is_not, const bool is_delete) { - struct tomoyo_domain_keeper_entry *entry = NULL; struct tomoyo_domain_keeper_entry *ptr; - const struct tomoyo_path_info *saved_domainname = NULL; - const struct tomoyo_path_info *saved_program = NULL; + struct tomoyo_domain_keeper_entry e = { .is_not = is_not }; int error = is_delete ? -ENOENT : -ENOMEM; - bool is_last_name = false; if (!tomoyo_is_domain_def(domainname) && tomoyo_is_correct_path(domainname, 1, -1, -1)) - is_last_name = true; + e.is_last_name = true; else if (!tomoyo_is_correct_domain(domainname)) return -EINVAL; if (program) { if (!tomoyo_is_correct_path(program, 1, -1, -1)) return -EINVAL; - saved_program = tomoyo_get_name(program); - if (!saved_program) + e.program = tomoyo_get_name(program); + if (!e.program) goto out; } - saved_domainname = tomoyo_get_name(domainname); - if (!saved_domainname) + e.domainname = tomoyo_get_name(domainname); + if (!e.domainname) + goto out; + if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) { - if (ptr->is_not != is_not || - ptr->domainname != saved_domainname || - ptr->program != saved_program) + if (!tomoyo_is_same_domain_keeper_entry(ptr, &e)) continue; ptr->is_deleted = is_delete; error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->domainname = saved_domainname; - saved_domainname = NULL; - entry->program = saved_program; - saved_program = NULL; - entry->is_not = is_not; - entry->is_last_name = is_last_name; - list_add_tail_rcu(&entry->list, &tomoyo_domain_keeper_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_domain_keeper_entry *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->list, + &tomoyo_domain_keeper_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); out: - tomoyo_put_name(saved_domainname); - tomoyo_put_name(saved_program); - kfree(entry); + tomoyo_put_name(e.domainname); + tomoyo_put_name(e.program); return error; } @@ -551,44 +532,38 @@ static int tomoyo_update_alias_entry(const char *original_name, const char *aliased_name, const bool is_delete) { - struct tomoyo_alias_entry *entry = NULL; struct tomoyo_alias_entry *ptr; - const struct tomoyo_path_info *saved_original_name; - const struct tomoyo_path_info *saved_aliased_name; + struct tomoyo_alias_entry e = { }; int error = is_delete ? -ENOENT : -ENOMEM; if (!tomoyo_is_correct_path(original_name, 1, -1, -1) || !tomoyo_is_correct_path(aliased_name, 1, -1, -1)) return -EINVAL; /* No patterns allowed. */ - saved_original_name = tomoyo_get_name(original_name); - saved_aliased_name = tomoyo_get_name(aliased_name); - if (!saved_original_name || !saved_aliased_name) + e.original_name = tomoyo_get_name(original_name); + e.aliased_name = tomoyo_get_name(aliased_name); + if (!e.original_name || !e.aliased_name) + goto out; + if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) { - if (ptr->original_name != saved_original_name || - ptr->aliased_name != saved_aliased_name) + if (!tomoyo_is_same_alias_entry(ptr, &e)) continue; ptr->is_deleted = is_delete; error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->original_name = saved_original_name; - saved_original_name = NULL; - entry->aliased_name = saved_aliased_name; - saved_aliased_name = NULL; - list_add_tail_rcu(&entry->list, &tomoyo_alias_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_alias_entry *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->list, &tomoyo_alias_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); out: - tomoyo_put_name(saved_original_name); - tomoyo_put_name(saved_aliased_name); - kfree(entry); + tomoyo_put_name(e.original_name); + tomoyo_put_name(e.aliased_name); return error; } @@ -656,7 +631,7 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * const u8 profile) { struct tomoyo_domain_info *entry; - struct tomoyo_domain_info *domain; + struct tomoyo_domain_info *domain = NULL; const struct tomoyo_path_info *saved_domainname; bool found = false; @@ -665,8 +640,9 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * saved_domainname = tomoyo_get_name(domainname); if (!saved_domainname) return NULL; - entry = kzalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); + entry = kzalloc(sizeof(*entry), GFP_NOFS); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + goto out; list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { if (domain->is_deleted || tomoyo_pathcmp(saved_domainname, domain->domainname)) @@ -685,6 +661,7 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * found = true; } mutex_unlock(&tomoyo_policy_lock); + out: tomoyo_put_name(saved_domainname); kfree(entry); return found ? domain : NULL; @@ -705,7 +682,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) * This function assumes that the size of buffer returned by * tomoyo_realpath() = TOMOYO_MAX_PATHNAME_LEN. */ - struct tomoyo_page_buffer *tmp = kzalloc(sizeof(*tmp), GFP_KERNEL); + struct tomoyo_page_buffer *tmp = kzalloc(sizeof(*tmp), GFP_NOFS); struct tomoyo_domain_info *old_domain = tomoyo_domain(); struct tomoyo_domain_info *domain = NULL; const char *old_domain_name = old_domain->domainname->name; diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 6f3fe76a1fd..1c6f8238ec4 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -45,6 +45,37 @@ static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = { [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root", }; +void tomoyo_put_name_union(struct tomoyo_name_union *ptr) +{ + if (!ptr) + return; + if (ptr->is_group) + tomoyo_put_path_group(ptr->group); + else + tomoyo_put_name(ptr->filename); +} + +bool tomoyo_compare_name_union(const struct tomoyo_path_info *name, + const struct tomoyo_name_union *ptr) +{ + if (ptr->is_group) + return tomoyo_path_matches_group(name, ptr->group, 1); + return tomoyo_path_matches_pattern(name, ptr->filename); +} + +static bool tomoyo_compare_name_union_pattern(const struct tomoyo_path_info + *name, + const struct tomoyo_name_union + *ptr, const bool may_use_pattern) +{ + if (ptr->is_group) + return tomoyo_path_matches_group(name, ptr->group, + may_use_pattern); + if (may_use_pattern || !ptr->filename->is_patterned) + return tomoyo_path_matches_pattern(name, ptr->filename); + return false; +} + /** * tomoyo_path2keyword - Get the name of single path operation. * @@ -100,7 +131,7 @@ static struct tomoyo_path_info *tomoyo_get_path(struct path *path) { int error; struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf), - GFP_KERNEL); + GFP_NOFS); if (!buf) return NULL; @@ -164,36 +195,36 @@ LIST_HEAD(tomoyo_globally_readable_list); static int tomoyo_update_globally_readable_entry(const char *filename, const bool is_delete) { - struct tomoyo_globally_readable_file_entry *entry = NULL; struct tomoyo_globally_readable_file_entry *ptr; - const struct tomoyo_path_info *saved_filename; + struct tomoyo_globally_readable_file_entry e = { }; int error = is_delete ? -ENOENT : -ENOMEM; if (!tomoyo_is_correct_path(filename, 1, 0, -1)) return -EINVAL; - saved_filename = tomoyo_get_name(filename); - if (!saved_filename) + e.filename = tomoyo_get_name(filename); + if (!e.filename) return -ENOMEM; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + goto out; list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { - if (ptr->filename != saved_filename) + if (ptr->filename != e.filename) continue; ptr->is_deleted = is_delete; error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->filename = saved_filename; - saved_filename = NULL; - list_add_tail_rcu(&entry->list, &tomoyo_globally_readable_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_globally_readable_file_entry *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->list, + &tomoyo_globally_readable_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); - tomoyo_put_name(saved_filename); - kfree(entry); + out: + tomoyo_put_name(e.filename); return error; } @@ -311,37 +342,34 @@ LIST_HEAD(tomoyo_pattern_list); static int tomoyo_update_file_pattern_entry(const char *pattern, const bool is_delete) { - struct tomoyo_pattern_entry *entry = NULL; struct tomoyo_pattern_entry *ptr; - const struct tomoyo_path_info *saved_pattern; + struct tomoyo_pattern_entry e = { .pattern = tomoyo_get_name(pattern) }; int error = is_delete ? -ENOENT : -ENOMEM; - saved_pattern = tomoyo_get_name(pattern); - if (!saved_pattern) + if (!e.pattern) return error; - if (!saved_pattern->is_patterned) + if (!e.pattern->is_patterned) + goto out; + if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { - if (saved_pattern != ptr->pattern) + if (e.pattern != ptr->pattern) continue; ptr->is_deleted = is_delete; error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->pattern = saved_pattern; - saved_pattern = NULL; - list_add_tail_rcu(&entry->list, &tomoyo_pattern_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_pattern_entry *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->list, &tomoyo_pattern_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); out: - kfree(entry); - tomoyo_put_name(saved_pattern); + tomoyo_put_name(e.pattern); return error; } @@ -464,36 +492,36 @@ LIST_HEAD(tomoyo_no_rewrite_list); static int tomoyo_update_no_rewrite_entry(const char *pattern, const bool is_delete) { - struct tomoyo_no_rewrite_entry *entry = NULL; struct tomoyo_no_rewrite_entry *ptr; - const struct tomoyo_path_info *saved_pattern; + struct tomoyo_no_rewrite_entry e = { }; int error = is_delete ? -ENOENT : -ENOMEM; if (!tomoyo_is_correct_path(pattern, 0, 0, 0)) return -EINVAL; - saved_pattern = tomoyo_get_name(pattern); - if (!saved_pattern) + e.pattern = tomoyo_get_name(pattern); + if (!e.pattern) return error; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + goto out; list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { - if (ptr->pattern != saved_pattern) + if (ptr->pattern != e.pattern) continue; ptr->is_deleted = is_delete; error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->pattern = saved_pattern; - saved_pattern = NULL; - list_add_tail_rcu(&entry->list, &tomoyo_no_rewrite_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_no_rewrite_entry *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->list, + &tomoyo_no_rewrite_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); - tomoyo_put_name(saved_pattern); - kfree(entry); + out: + tomoyo_put_name(e.pattern); return error; } @@ -640,13 +668,9 @@ static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain, if (!(acl->perm_high & (perm >> 16))) continue; } - if (may_use_pattern || !acl->filename->is_patterned) { - if (!tomoyo_path_matches_pattern(filename, - acl->filename)) - continue; - } else { + if (!tomoyo_compare_name_union_pattern(filename, &acl->name, + may_use_pattern)) continue; - } error = 0; break; } @@ -805,70 +829,64 @@ static int tomoyo_update_path_acl(const u8 type, const char *filename, struct tomoyo_domain_info *const domain, const bool is_delete) { - static const u32 rw_mask = + static const u32 tomoyo_rw_mask = (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE); - const struct tomoyo_path_info *saved_filename; + const u32 perm = 1 << type; struct tomoyo_acl_info *ptr; - struct tomoyo_path_acl *entry = NULL; + struct tomoyo_path_acl e = { + .head.type = TOMOYO_TYPE_PATH_ACL, + .perm_high = perm >> 16, + .perm = perm + }; int error = is_delete ? -ENOENT : -ENOMEM; - const u32 perm = 1 << type; + if (type == TOMOYO_TYPE_READ_WRITE) + e.perm |= tomoyo_rw_mask; if (!domain) return -EINVAL; - if (!tomoyo_is_correct_path(filename, 0, 0, 0)) + if (!tomoyo_parse_name_union(filename, &e.name)) return -EINVAL; - saved_filename = tomoyo_get_name(filename); - if (!saved_filename) - return -ENOMEM; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + goto out; list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { struct tomoyo_path_acl *acl = container_of(ptr, struct tomoyo_path_acl, head); - if (ptr->type != TOMOYO_TYPE_PATH_ACL) - continue; - if (acl->filename != saved_filename) + if (!tomoyo_is_same_path_acl(acl, &e)) continue; if (is_delete) { if (perm <= 0xFFFF) acl->perm &= ~perm; else acl->perm_high &= ~(perm >> 16); - if ((acl->perm & rw_mask) != rw_mask) + if ((acl->perm & tomoyo_rw_mask) != tomoyo_rw_mask) acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE); else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))) - acl->perm &= ~rw_mask; + acl->perm &= ~tomoyo_rw_mask; } else { if (perm <= 0xFFFF) acl->perm |= perm; else acl->perm_high |= (perm >> 16); - if ((acl->perm & rw_mask) == rw_mask) + if ((acl->perm & tomoyo_rw_mask) == tomoyo_rw_mask) acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE; else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)) - acl->perm |= rw_mask; + acl->perm |= tomoyo_rw_mask; } error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->head.type = TOMOYO_TYPE_PATH_ACL; - if (perm <= 0xFFFF) - entry->perm = perm; - else - entry->perm_high = (perm >> 16); - if (perm == (1 << TOMOYO_TYPE_READ_WRITE)) - entry->perm |= rw_mask; - entry->filename = saved_filename; - saved_filename = NULL; - list_add_tail_rcu(&entry->head.list, &domain->acl_info_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_path_acl *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->head.list, + &domain->acl_info_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); - kfree(entry); - tomoyo_put_name(saved_filename); + out: + tomoyo_put_name_union(&e.name); return error; } @@ -890,32 +908,25 @@ static int tomoyo_update_path2_acl(const u8 type, const char *filename1, struct tomoyo_domain_info *const domain, const bool is_delete) { - const struct tomoyo_path_info *saved_filename1; - const struct tomoyo_path_info *saved_filename2; + const u8 perm = 1 << type; + struct tomoyo_path2_acl e = { + .head.type = TOMOYO_TYPE_PATH2_ACL, + .perm = perm + }; struct tomoyo_acl_info *ptr; - struct tomoyo_path2_acl *entry = NULL; int error = is_delete ? -ENOENT : -ENOMEM; - const u8 perm = 1 << type; if (!domain) return -EINVAL; - if (!tomoyo_is_correct_path(filename1, 0, 0, 0) || - !tomoyo_is_correct_path(filename2, 0, 0, 0)) - return -EINVAL; - saved_filename1 = tomoyo_get_name(filename1); - saved_filename2 = tomoyo_get_name(filename2); - if (!saved_filename1 || !saved_filename2) + if (!tomoyo_parse_name_union(filename1, &e.name1) || + !tomoyo_parse_name_union(filename2, &e.name2)) + goto out; + if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; - if (!is_delete) - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - mutex_lock(&tomoyo_policy_lock); list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { struct tomoyo_path2_acl *acl = container_of(ptr, struct tomoyo_path2_acl, head); - if (ptr->type != TOMOYO_TYPE_PATH2_ACL) - continue; - if (acl->filename1 != saved_filename1 || - acl->filename2 != saved_filename2) + if (!tomoyo_is_same_path2_acl(acl, &e)) continue; if (is_delete) acl->perm &= ~perm; @@ -924,22 +935,19 @@ static int tomoyo_update_path2_acl(const u8 type, const char *filename1, error = 0; break; } - if (!is_delete && error && tomoyo_memory_ok(entry)) { - entry->head.type = TOMOYO_TYPE_PATH2_ACL; - entry->perm = perm; - entry->filename1 = saved_filename1; - saved_filename1 = NULL; - entry->filename2 = saved_filename2; - saved_filename2 = NULL; - list_add_tail_rcu(&entry->head.list, &domain->acl_info_list); - entry = NULL; - error = 0; + if (!is_delete && error) { + struct tomoyo_path2_acl *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->head.list, + &domain->acl_info_list); + error = 0; + } } mutex_unlock(&tomoyo_policy_lock); out: - tomoyo_put_name(saved_filename1); - tomoyo_put_name(saved_filename2); - kfree(entry); + tomoyo_put_name_union(&e.name1); + tomoyo_put_name_union(&e.name2); return error; } @@ -992,9 +1000,9 @@ static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain, acl = container_of(ptr, struct tomoyo_path2_acl, head); if (!(acl->perm & perm)) continue; - if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) + if (!tomoyo_compare_name_union(filename1, &acl->name1)) continue; - if (!tomoyo_path_matches_pattern(filename2, acl->filename2)) + if (!tomoyo_compare_name_union(filename2, &acl->name2)) continue; error = 0; break; diff --git a/security/tomoyo/gc.c b/security/tomoyo/gc.c index d9ad35bc7fa..b9cc71b0431 100644 --- a/security/tomoyo/gc.c +++ b/security/tomoyo/gc.c @@ -12,6 +12,8 @@ #include <linux/slab.h> enum tomoyo_gc_id { + TOMOYO_ID_PATH_GROUP, + TOMOYO_ID_PATH_GROUP_MEMBER, TOMOYO_ID_DOMAIN_INITIALIZER, TOMOYO_ID_DOMAIN_KEEPER, TOMOYO_ID_ALIAS, @@ -91,15 +93,15 @@ static void tomoyo_del_acl(struct tomoyo_acl_info *acl) { struct tomoyo_path_acl *entry = container_of(acl, typeof(*entry), head); - tomoyo_put_name(entry->filename); + tomoyo_put_name_union(&entry->name); } break; case TOMOYO_TYPE_PATH2_ACL: { struct tomoyo_path2_acl *entry = container_of(acl, typeof(*entry), head); - tomoyo_put_name(entry->filename1); - tomoyo_put_name(entry->filename2); + tomoyo_put_name_union(&entry->name1); + tomoyo_put_name_union(&entry->name2); } break; default: @@ -149,9 +151,21 @@ static void tomoyo_del_name(const struct tomoyo_name_entry *ptr) { } +static void tomoyo_del_path_group_member(struct tomoyo_path_group_member + *member) +{ + tomoyo_put_name(member->member_name); +} + +static void tomoyo_del_path_group(struct tomoyo_path_group *group) +{ + tomoyo_put_name(group->group_name); +} + static void tomoyo_collect_entry(void) { - mutex_lock(&tomoyo_policy_lock); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + return; { struct tomoyo_globally_readable_file_entry *ptr; list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, @@ -275,8 +289,6 @@ static void tomoyo_collect_entry(void) break; } } - mutex_unlock(&tomoyo_policy_lock); - mutex_lock(&tomoyo_name_list_lock); { int i; for (i = 0; i < TOMOYO_MAX_HASH; i++) { @@ -294,7 +306,30 @@ static void tomoyo_collect_entry(void) } } } - mutex_unlock(&tomoyo_name_list_lock); + { + struct tomoyo_path_group *group; + list_for_each_entry_rcu(group, &tomoyo_path_group_list, list) { + struct tomoyo_path_group_member *member; + list_for_each_entry_rcu(member, &group->member_list, + list) { + if (!member->is_deleted) + continue; + if (tomoyo_add_to_gc(TOMOYO_ID_PATH_GROUP_MEMBER, + member)) + list_del_rcu(&member->list); + else + break; + } + if (!list_empty(&group->member_list) || + atomic_read(&group->users)) + continue; + if (tomoyo_add_to_gc(TOMOYO_ID_PATH_GROUP, group)) + list_del_rcu(&group->list); + else + break; + } + } + mutex_unlock(&tomoyo_policy_lock); } static void tomoyo_kfree_entry(void) @@ -335,6 +370,12 @@ static void tomoyo_kfree_entry(void) if (!tomoyo_del_domain(p->element)) continue; break; + case TOMOYO_ID_PATH_GROUP_MEMBER: + tomoyo_del_path_group_member(p->element); + break; + case TOMOYO_ID_PATH_GROUP: + tomoyo_del_path_group(p->element); + break; default: printk(KERN_WARNING "Unknown type\n"); break; diff --git a/security/tomoyo/path_group.c b/security/tomoyo/path_group.c new file mode 100644 index 00000000000..c988041c8e1 --- /dev/null +++ b/security/tomoyo/path_group.c @@ -0,0 +1,172 @@ +/* + * security/tomoyo/path_group.c + * + * Copyright (C) 2005-2009 NTT DATA CORPORATION + */ + +#include <linux/slab.h> +#include "common.h" +/* The list for "struct ccs_path_group". */ +LIST_HEAD(tomoyo_path_group_list); + +/** + * tomoyo_get_path_group - Allocate memory for "struct tomoyo_path_group". + * + * @group_name: The name of pathname group. + * + * Returns pointer to "struct tomoyo_path_group" on success, NULL otherwise. + */ +struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name) +{ + struct tomoyo_path_group *entry = NULL; + struct tomoyo_path_group *group = NULL; + const struct tomoyo_path_info *saved_group_name; + int error = -ENOMEM; + if (!tomoyo_is_correct_path(group_name, 0, 0, 0) || + !group_name[0]) + return NULL; + saved_group_name = tomoyo_get_name(group_name); + if (!saved_group_name) + return NULL; + entry = kzalloc(sizeof(*entry), GFP_NOFS); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + goto out; + list_for_each_entry_rcu(group, &tomoyo_path_group_list, list) { + if (saved_group_name != group->group_name) + continue; + atomic_inc(&group->users); + error = 0; + break; + } + if (error && tomoyo_memory_ok(entry)) { + INIT_LIST_HEAD(&entry->member_list); + entry->group_name = saved_group_name; + saved_group_name = NULL; + atomic_set(&entry->users, 1); + list_add_tail_rcu(&entry->list, &tomoyo_path_group_list); + group = entry; + entry = NULL; + error = 0; + } + mutex_unlock(&tomoyo_policy_lock); + out: + tomoyo_put_name(saved_group_name); + kfree(entry); + return !error ? group : NULL; +} + +/** + * tomoyo_write_path_group_policy - Write "struct tomoyo_path_group" list. + * + * @data: String to parse. + * @is_delete: True if it is a delete request. + * + * Returns 0 on success, nagative value otherwise. + */ +int tomoyo_write_path_group_policy(char *data, const bool is_delete) +{ + struct tomoyo_path_group *group; + struct tomoyo_path_group_member *member; + struct tomoyo_path_group_member e = { }; + int error = is_delete ? -ENOENT : -ENOMEM; + char *w[2]; + if (!tomoyo_tokenize(data, w, sizeof(w)) || !w[1][0]) + return -EINVAL; + group = tomoyo_get_path_group(w[0]); + if (!group) + return -ENOMEM; + e.member_name = tomoyo_get_name(w[1]); + if (!e.member_name) + goto out; + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + goto out; + list_for_each_entry_rcu(member, &group->member_list, list) { + if (member->member_name != e.member_name) + continue; + member->is_deleted = is_delete; + error = 0; + break; + } + if (!is_delete && error) { + struct tomoyo_path_group_member *entry = + tomoyo_commit_ok(&e, sizeof(e)); + if (entry) { + list_add_tail_rcu(&entry->list, &group->member_list); + error = 0; + } + } + mutex_unlock(&tomoyo_policy_lock); + out: + tomoyo_put_name(e.member_name); + tomoyo_put_path_group(group); + return error; +} + +/** + * tomoyo_read_path_group_policy - Read "struct tomoyo_path_group" list. + * + * @head: Pointer to "struct tomoyo_io_buffer". + * + * Returns true on success, false otherwise. + * + * Caller holds tomoyo_read_lock(). + */ +bool tomoyo_read_path_group_policy(struct tomoyo_io_buffer *head) +{ + struct list_head *gpos; + struct list_head *mpos; + list_for_each_cookie(gpos, head->read_var1, &tomoyo_path_group_list) { + struct tomoyo_path_group *group; + group = list_entry(gpos, struct tomoyo_path_group, list); + list_for_each_cookie(mpos, head->read_var2, + &group->member_list) { + struct tomoyo_path_group_member *member; + member = list_entry(mpos, + struct tomoyo_path_group_member, + list); + if (member->is_deleted) + continue; + if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_PATH_GROUP + "%s %s\n", + group->group_name->name, + member->member_name->name)) + return false; + } + } + return true; +} + +/** + * tomoyo_path_matches_group - Check whether the given pathname matches members of the given pathname group. + * + * @pathname: The name of pathname. + * @group: Pointer to "struct tomoyo_path_group". + * @may_use_pattern: True if wild card is permitted. + * + * Returns true if @pathname matches pathnames in @group, false otherwise. + * + * Caller holds tomoyo_read_lock(). + */ +bool tomoyo_path_matches_group(const struct tomoyo_path_info *pathname, + const struct tomoyo_path_group *group, + const bool may_use_pattern) +{ + struct tomoyo_path_group_member *member; + bool matched = false; + list_for_each_entry_rcu(member, &group->member_list, list) { + if (member->is_deleted) + continue; + if (!member->member_name->is_patterned) { + if (tomoyo_pathcmp(pathname, member->member_name)) + continue; + } else if (may_use_pattern) { + if (!tomoyo_path_matches_pattern(pathname, + member->member_name)) + continue; + } else + continue; + matched = true; + break; + } + return matched; +} diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index c225c65ce42..d1b96f01962 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c @@ -139,7 +139,7 @@ int tomoyo_realpath_from_path2(struct path *path, char *newname, */ char *tomoyo_realpath_from_path(struct path *path) { - char *buf = kzalloc(sizeof(struct tomoyo_page_buffer), GFP_KERNEL); + char *buf = kzalloc(sizeof(struct tomoyo_page_buffer), GFP_NOFS); BUILD_BUG_ON(sizeof(struct tomoyo_page_buffer) <= TOMOYO_MAX_PATHNAME_LEN - 1); @@ -223,6 +223,25 @@ bool tomoyo_memory_ok(void *ptr) } /** + * tomoyo_commit_ok - Check memory quota. + * + * @data: Data to copy from. + * @size: Size in byte. + * + * Returns pointer to allocated memory on success, NULL otherwise. + */ +void *tomoyo_commit_ok(void *data, const unsigned int size) +{ + void *ptr = kzalloc(size, GFP_NOFS); + if (tomoyo_memory_ok(ptr)) { + memmove(ptr, data, size); + memset(data, 0, size); + return ptr; + } + return NULL; +} + +/** * tomoyo_memory_free - Free memory for elements. * * @ptr: Pointer to allocated memory. @@ -240,8 +259,6 @@ void tomoyo_memory_free(void *ptr) * "const struct tomoyo_path_info *". */ struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; -/* Lock for protecting tomoyo_name_list . */ -DEFINE_MUTEX(tomoyo_name_list_lock); /** * tomoyo_get_name - Allocate permanent memory for string data. @@ -263,14 +280,15 @@ const struct tomoyo_path_info *tomoyo_get_name(const char *name) len = strlen(name) + 1; hash = full_name_hash((const unsigned char *) name, len - 1); head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)]; - mutex_lock(&tomoyo_name_list_lock); + if (mutex_lock_interruptible(&tomoyo_policy_lock)) + return NULL; list_for_each_entry(ptr, head, list) { if (hash != ptr->entry.hash || strcmp(name, ptr->entry.name)) continue; atomic_inc(&ptr->users); goto out; } - ptr = kzalloc(sizeof(*ptr) + len, GFP_KERNEL); + ptr = kzalloc(sizeof(*ptr) + len, GFP_NOFS); allocated_len = ptr ? ksize(ptr) : 0; if (!ptr || (tomoyo_quota_for_policy && atomic_read(&tomoyo_policy_memory_size) + allocated_len @@ -290,7 +308,7 @@ const struct tomoyo_path_info *tomoyo_get_name(const char *name) tomoyo_fill_path_info(&ptr->entry); list_add_tail(&ptr->list, head); out: - mutex_unlock(&tomoyo_name_list_lock); + mutex_unlock(&tomoyo_policy_lock); return ptr ? &ptr->entry : NULL; } |